- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SQL injection vulnerability
Hi all,
I recently took over the hosting of a 1.7.0.2 shop. I have patched this shop as it was missing several patches. For some reason I had to do it manually, as running the script did not work (although I did not get any messages). Maybe this was due to line differences. It took a long time, but the magento security scan passed.
Just last week, the site was scanned by a third party for weaknesses. It reported two high risk sql injection vulnerabilities. It has to do with price[to] and price[from] when using the catalogsearch/advanced/result.
I've looked through all patches I applied (maybe I've missed something), but I could not found anything related with prices. Is this a known problem and more important, how can I fix this?
Thank you in advance for your help!
Best regards,
Maurice.
Edit: I have found out it has to do with the UTF8-character: e309
The query-string added is: ?name=John&description=1&short_description=1&sku=1&merk=1&price%5Bto%5D=1e309&price%5Bfrom%5D=1&tax_class_id%5B%5D=0
which works when the e309 character is omitted. It also does not work when the character is set after any other parameter except price.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SQL injection vulnerability
On suggestion, I've changed ->getQuery() in ->getParams() in the AdvancedController, but that makes no difference.
To make the problem more clear, this url is used and generates the error log that follows:
/index.php/catalogsearch/advanced/result/?name=John&description=1&short_description=1&sku=1&merk=1&tax_class_id%5B%5D=0&price%5Bto%5D=1e309&price%5Bfrom%5D=1
And the error log:
SQLSTATE[42S22]: Column not found: 1054 Unknown column 'INF' in 'where clause' Trace: #0 /httpdocs/lib/Varien/Db/Statement/Pdo/Mysql.php(110): Zend_Db_Statement_Pdo->_execute(Array) #1 /httpdocs/lib/Zend/Db/Statement.php(300): Varien_Db_Statement_Pdo_Mysql->_execute(Array) #2 /httpdocs/lib/Zend/Db/Adapter/Abstract.php(479): Zend_Db_Statement->execute(Array) #3 /httpdocs/lib/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract->query('SELECT DISTINCT...', Array) #4 /httpdocs/lib/Varien/Db/Adapter/Pdo/Mysql.php(419): Zend_Db_Adapter_Pdo_Abstract->query('SELECT DISTINCT...', Array) #5 /httpdocs/lib/Zend/Db/Adapter/Abstract.php(825): Varien_Db_Adapter_Pdo_Mysql->query(Object(Varien_Db_Select), Array) #6 /httpdocs/lib/Varien/Data/Collection/Db.php(225): Zend_Db_Adapter_Abstract->fetchOne(Object(Varien_Db_Select), Array) #7 /httpdocs/app/code/core/Mage/CatalogSearch/Block/Advanced/Result.php(90): Varien_Data_Collection_Db->getSize() #8 /httpdocs/app/design/frontend/default/bqp/template/catalogsearch/advanced/result.phtml(31): Mage_CatalogSearch_Block_Advanced_Result->getResultCount() #9 /httpdocs/app/code/core/Mage/Core/Block/Template.php(241): include('/var/www/vhosts...') #10 /httpdocs/app/code/core/Mage/Core/Block/Template.php(272): Mage_Core_Block_Template->fetchView('frontend/defaul...') #11 /httpdocs/app/code/core/Mage/Core/Block/Template.php(286): Mage_Core_Block_Template->renderView() #12 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(867): Mage_Core_Block_Template->_toHtml() #13 /httpdocs/app/code/core/Mage/Core/Block/Text/List.php(43): Mage_Core_Block_Abstract->toHtml() #14 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(867): Mage_Core_Block_Text_List->_toHtml() #15 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(586): Mage_Core_Block_Abstract->toHtml() #16 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(530): Mage_Core_Block_Abstract->_getChildHtml('content', true) #17 /httpdocs/app/design/frontend/default/bqp/template/page/2columns-right.phtml(56): Mage_Core_Block_Abstract->getChildHtml('content') #18 /httpdocs/app/code/core/Mage/Core/Block/Template.php(241): include('/var/www/vhosts...') #19 /httpdocs/app/code/core/Mage/Core/Block/Template.php(272): Mage_Core_Block_Template->fetchView('frontend/defaul...') #20 /httpdocs/app/code/core/Mage/Core/Block/Template.php(286): Mage_Core_Block_Template->renderView() #21 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(867): Mage_Core_Block_Template->_toHtml() #22 /httpdocs/app/code/core/Mage/Core/Model/Layout.php(555): Mage_Core_Block_Abstract->toHtml() #23 /httpdocs/app/code/core/Mage/Core/Controller/Varien/Action.php(390): Mage_Core_Model_Layout->getOutput() #24 /httpdocs/app/code/core/Mage/CatalogSearch/controllers/AdvancedController.php(59): Mage_Core_Controller_Varien_Action->renderLayout() #25 /httpdocs/app/code/core/Mage/Core/Controller/Varien/Action.php(419): Mage_CatalogSearch_AdvancedController->resultAction() #26 /httpdocs/app/code/core/Mage/Core/Controller/Varien/Router/Standard.php(254): Mage_Core_Controller_Varien_Action->dispatch('result') #27 /httpdocs/app/code/core/Mage/Core/Controller/Varien/Front.php(176): Mage_Core_Controller_Varien_Router_Standard->match(Object(Mage_Core_Controller_Request_Http)) #28 /httpdocs/app/code/core/Mage/Core/Model/App.php(354): Mage_Core_Controller_Varien_Front->dispatch() #29 /httpdocs/app/Mage.php(683): Mage_Core_Model_App->run(Array) #30 /httpdocs/index.php(97): Mage::run('', 'store') #31 {main}
Any ideas?
Thank you in advance!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SQL injection vulnerability
Nobody got a clue of to fix this??
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SQL injection vulnerability
Is this really a SQL injection? I am not sure why this is on the security patches forum. To fix your bug modify the system to force the input to be an integer and your error should be all cleared up.
My Magento Security Podcast
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SQL injection vulnerability
This is a vulnerability. It is not a template option.