Hi all,
I'm a newbie at Magento. I recently took over the hosting of a 1.7.0.2 shop. I have patched this shop as it was missing several patches. For some reason I had to do it manually, as running the script did not work (although I did not get any messages). Maybe this was due to line differences. It took a long time, but the magento security scan passed.
Just last week, the site was scanned by a third party for weaknesses. They reported two high risk sql injection vulnerabilities, both on the same url. It has to do with price[to] and price[from] for the url: catalogsearch/advanced/result.
I've gone through all patches I applied (maybe I've missed something), but I could not found anything related with prices or catalogsearch.
I have found out it has to do with the UTF8-character: e309
The query-string added after the url is: ?name=John&description=1&short_description=1&sku=1&merk=1&price%5Bto%5D=1e309&price%5Bfrom%5D=1&tax_class_id%5B%5D=0
which give the error/injection possibility. When the e309 character is omitted, it works as intended. The error is not shown when the character is set after any other parameter except price.
Is this a known problem and more important, how can I fix this?
Thank you in advance for your help!
Best regards,
Maurice.
Hello @MedusaDelft
Maybe you can change price range for that, it will solve your problem.
Otherwise, buy some module to enable SEO URL for the filter.
Hope it will help you.
If it will help you then Mark as Solution.
Hi Sunil,
Thank you for your response, but I don't understand your solution.
How can I change the price range as this is an SQL injection vulnerability?
index.php/catalogsearch/advanced/result/?name=John&description=1&short_description=1&sku=1&merk=1&tax_class_id%5B%5D=0&price%5Bto%5D=1e309&price%5Bfrom%5D=1
I have set the additional code in italic and underlined en the problem parameter in bold.
The request parameter (price-array) is not checked properly.
But maybe I just didn't explain myself properly. If so, sorry for that.
Maurice.
Hello,
you can do like you can make request GET to POST and do necessary changes on server side.
Hi @Sunil Patel,
I can not use POST as this is a result of a security check by a third party.
Yes, I understand I need to make changes server side. The Object that is used for the search contains a 'price' value '1 - 1e309'.
So do you know in which program/where the parameters are filtered? (I'm new to Magento and recently took over the hosting of a shop).
Thank you in advance,
Maurice.
Hello,
check this controller
Mage_CatalogSearch_AdvancedController
// here you need to change it
//$this->getRequest()->getQuery() to $this->getRequest()->getParams()
public function resultAction() { $this->loadLayout(); try { Mage::getSingleton('catalogsearch/advanced')->addFilters($this->getRequest()->getQuery()); // here you need to change it //$this->getRequest()->getQuery() to $this->getRequest()->getParams() } catch (Mage_Core_Exception $e) { Mage::getSingleton('catalogsearch/session')->addError($e->getMessage()); $this->_redirectError( Mage::getModel('core/url') ->setQueryParams($this->getRequest()->getQuery()) ->getUrl('*/*/') ); } $this->_initLayoutMessages('catalog/session'); $this->renderLayout(); }
Hope it will help you.
If it will help you then mark as solution.
Hi @Sunil Patel,
Thank you for your quick reply.
Unfortunately, it does not solve the problem.
// var_dump( $this->getRequest()->getQuery() ) array(7) { ["name"]=> string(4) "John" ["description"]=> string(1) "1" ["short_description"]=> string(1) "1" ["sku"]=> string(1) "1" ["merk"]=> string(1) "1" ["tax_class_id"]=> array(2) { [0]=> string(1) "0" [1]=> string(1) "0" } ["price"]=> array(2) { ["to"]=> string(5) "1e309" ["from"]=> string(1) "1" } } // var_dump( $this->getRequest()->getParams() ) array(7) { ["name"]=> string(4) "John" ["description"]=> string(1) "1" ["short_description"]=> string(1) "1" ["sku"]=> string(1) "1" ["merk"]=> string(1) "1" ["tax_class_id"]=> array(2) { [0]=> string(1) "0" [1]=> string(1) "0" } ["price"]=> array(2) { ["to"]=> string(5) "1e309" ["from"]=> string(1) "1" } }
The result is the same.
It does not get filtered properly.
Which value are you entering into form?
It's just an url used by the security company to check for vulnerabilities:
index.php/catalogsearch/advanced/result/?name=John&description=1&short_description=1&sku=1&merk=1&tax_class_id%5B%5D=0&price%5Bto%5D=1e309&price%5Bfrom%5D=1
This results in a high-risk SQL injection vulnerability
Maybe this helps a bit, the error message:
SQLSTATE[42S22]: Column not found: 1054 Unknown column 'INF' in 'where clause' Trace: #0 /httpdocs/lib/Varien/Db/Statement/Pdo/Mysql.php(110): Zend_Db_Statement_Pdo->_execute(Array) #1 /httpdocs/lib/Zend/Db/Statement.php(300): Varien_Db_Statement_Pdo_Mysql->_execute(Array) #2 /httpdocs/lib/Zend/Db/Adapter/Abstract.php(479): Zend_Db_Statement->execute(Array) #3 /httpdocs/lib/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract->query('SELECT DISTINCT...', Array) #4 /httpdocs/lib/Varien/Db/Adapter/Pdo/Mysql.php(419): Zend_Db_Adapter_Pdo_Abstract->query('SELECT DISTINCT...', Array) #5 /httpdocs/lib/Zend/Db/Adapter/Abstract.php(825): Varien_Db_Adapter_Pdo_Mysql->query(Object(Varien_Db_Select), Array) #6 /httpdocs/lib/Varien/Data/Collection/Db.php(225): Zend_Db_Adapter_Abstract->fetchOne(Object(Varien_Db_Select), Array) #7 /httpdocs/app/code/core/Mage/CatalogSearch/Block/Advanced/Result.php(90): Varien_Data_Collection_Db->getSize() #8 /httpdocs/app/design/frontend/default/bqp/template/catalogsearch/advanced/result.phtml(31): Mage_CatalogSearch_Block_Advanced_Result->getResultCount() #9 /httpdocs/app/code/core/Mage/Core/Block/Template.php(241): include('/var/www/vhosts...') #10 /httpdocs/app/code/core/Mage/Core/Block/Template.php(272): Mage_Core_Block_Template->fetchView('frontend/defaul...') #11 /httpdocs/app/code/core/Mage/Core/Block/Template.php(286): Mage_Core_Block_Template->renderView() #12 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(867): Mage_Core_Block_Template->_toHtml() #13 /httpdocs/app/code/core/Mage/Core/Block/Text/List.php(43): Mage_Core_Block_Abstract->toHtml() #14 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(867): Mage_Core_Block_Text_List->_toHtml() #15 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(586): Mage_Core_Block_Abstract->toHtml() #16 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(530): Mage_Core_Block_Abstract->_getChildHtml('content', true) #17 /httpdocs/app/design/frontend/default/bqp/template/page/2columns-right.phtml(56): Mage_Core_Block_Abstract->getChildHtml('content') #18 /httpdocs/app/code/core/Mage/Core/Block/Template.php(241): include('/var/www/vhosts...') #19 /httpdocs/app/code/core/Mage/Core/Block/Template.php(272): Mage_Core_Block_Template->fetchView('frontend/defaul...') #20 /httpdocs/app/code/core/Mage/Core/Block/Template.php(286): Mage_Core_Block_Template->renderView() #21 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(867): Mage_Core_Block_Template->_toHtml() #22 /httpdocs/app/code/core/Mage/Core/Model/Layout.php(555): Mage_Core_Block_Abstract->toHtml() #23 /httpdocs/app/code/core/Mage/Core/Controller/Varien/Action.php(390): Mage_Core_Model_Layout->getOutput() #24 /httpdocs/app/code/core/Mage/CatalogSearch/controllers/AdvancedController.php(59): Mage_Core_Controller_Varien_Action->renderLayout() #25 /httpdocs/app/code/core/Mage/Core/Controller/Varien/Action.php(419): Mage_CatalogSearch_AdvancedController->resultAction() #26 /httpdocs/app/code/core/Mage/Core/Controller/Varien/Router/Standard.php(254): Mage_Core_Controller_Varien_Action->dispatch('result') #27 /httpdocs/app/code/core/Mage/Core/Controller/Varien/Front.php(176): Mage_Core_Controller_Varien_Router_Standard->match(Object(Mage_Core_Controller_Request_Http)) #28 /httpdocs/app/code/core/Mage/Core/Model/App.php(354): Mage_Core_Controller_Varien_Front->dispatch() #29 /httpdocs/app/Mage.php(683): Mage_Core_Model_App->run(Array) #30 /httpdocs/index.php(97): Mage::run('', 'store') #31 {main}