cancel
Showing results for 
Search instead for 
Did you mean: 

How to fix SQL injection vunerability

How to fix SQL injection vunerability

Hi all,

 

I'm a newbie at Magento. I recently took over the hosting of a 1.7.0.2 shop. I have patched this shop as it was missing several patches. For some reason I had to do it manually, as running the script did not work (although I did not get any messages). Maybe this was due to line differences. It took a long time, but the magento security scan passed.

 

Just last week, the site was scanned by a third party for weaknesses. They reported two high risk sql injection vulnerabilities, both on the same url. It has to do with  price[to]  and  price[from]  for the url: catalogsearch/advanced/result.

 

I've gone through all patches I applied (maybe I've missed something), but I could not found anything related with prices or catalogsearch.

 

I have found out it has to do with the UTF8-character: e309

The query-string added after the url is:   ?name=John&description=1&short_description=1&sku=1&merk=1&price%5Bto%5D=1e309&price%5Bfrom%5D=1&tax_class_id%5B%5D=0

which give the error/injection possibility. When the  e309  character is omitted, it works as intended. The error is not shown when the character is set after any other parameter except price.

 

Is this a known problem and more important, how can I fix this?

 

Thank you in advance for your help!

 

Best regards,

Maurice.

9 REPLIES

Re: How to fix SQL injection vunerability

Hello @MedusaDelft

 

Maybe you can change price range for that, it will solve your problem.

 

Otherwise, buy some module to enable SEO URL for the filter.

 

Hope it will help you.

 

If it will help you then Mark as Solution.

Re: How to fix SQL injection vunerability

Hi Sunil,

 

Thank you for your response, but I don't understand your solution.
How can I change the price range as this is an SQL injection vulnerability?

 

index.php/catalogsearch/advanced/result/?name=John&description=1&short_description=1&sku=1&merk=1&tax_class_id%5B%5D=0&price%5Bto%5D=1e309&price%5Bfrom%5D=1

 

I have set the additional code in italic and underlined en the problem parameter in bold.

 

The request parameter (price-array) is not checked properly.

 

But maybe I just didn't explain myself properly. If so, sorry for that.

 

Maurice.

Re: How to fix SQL injection vunerability

Hello,

 

you can do like you can make request GET to POST and do necessary changes on server side.

 

 

Re: How to fix SQL injection vunerability

Hi @Sunil Patel,

 

I can not use POST as this is a result of a security check by a third party.

Yes, I understand I need to make changes server side. The Object that is used for the search contains a 'price' value '1 - 1e309'.
So do you know in which program/where the parameters are filtered? (I'm new to Magento and recently took over the hosting of a shop).

 

Thank you in advance,

Maurice.

Re: How to fix SQL injection vunerability

Hello,

 

check this controller 

 

Mage_CatalogSearch_AdvancedController

 

// here you need to change it 
//$this->getRequest()->getQuery() to $this->getRequest()->getParams()

 

 

 public function resultAction()
    {
        $this->loadLayout();
        try {
            Mage::getSingleton('catalogsearch/advanced')->addFilters($this->getRequest()->getQuery());
// here you need to change it 
//$this->getRequest()->getQuery() to $this->getRequest()->getParams()
        } catch (Mage_Core_Exception $e) {
            Mage::getSingleton('catalogsearch/session')->addError($e->getMessage());
            $this->_redirectError(
                Mage::getModel('core/url')
                    ->setQueryParams($this->getRequest()->getQuery())
                    ->getUrl('*/*/')
            );
        }
        $this->_initLayoutMessages('catalog/session');
        $this->renderLayout();
    }

Hope it will help you.

 

If it will help you then mark as solution.

 

Re: How to fix SQL injection vunerability

Hi @Sunil Patel,

 

Thank you for your quick reply.
Unfortunately, it does not solve the problem.

 

// var_dump( $this->getRequest()->getQuery() )
array(7) { ["name"]=> string(4) "John" ["description"]=> string(1) "1" ["short_description"]=> string(1) "1" ["sku"]=> string(1) "1" ["merk"]=> string(1) "1" ["tax_class_id"]=> array(2) { [0]=> string(1) "0" [1]=> string(1) "0" } ["price"]=> array(2) { ["to"]=> string(5) "1e309" ["from"]=> string(1) "1" } }

// var_dump( $this->getRequest()->getParams() )
array(7) { ["name"]=> string(4) "John" ["description"]=> string(1) "1" ["short_description"]=> string(1) "1" ["sku"]=> string(1) "1" ["merk"]=> string(1) "1" ["tax_class_id"]=> array(2) { [0]=> string(1) "0" [1]=> string(1) "0" } ["price"]=> array(2) { ["to"]=> string(5) "1e309" ["from"]=> string(1) "1" } }

The result is the same.


It does not get filtered properly.

Re: How to fix SQL injection vunerability

@MedusaDelft

 

Which value are you entering into form?

Re: How to fix SQL injection vunerability

It's just an url used by the security company to check for vulnerabilities:

 

index.php/catalogsearch/advanced/result/?name=John&description=1&short_description=1&sku=1&merk=1&tax_class_id%5B%5D=0&price%5Bto%5D=1e309&price%5Bfrom%5D=1

This results in a high-risk SQL injection vulnerability

Re: How to fix SQL injection vunerability

Maybe this helps a bit, the error message:

 

SQLSTATE[42S22]: Column not found: 1054 Unknown column 'INF' in 'where clause'

Trace:
#0 /httpdocs/lib/Varien/Db/Statement/Pdo/Mysql.php(110): Zend_Db_Statement_Pdo->_execute(Array)
#1 /httpdocs/lib/Zend/Db/Statement.php(300): Varien_Db_Statement_Pdo_Mysql->_execute(Array)
#2 /httpdocs/lib/Zend/Db/Adapter/Abstract.php(479): Zend_Db_Statement->execute(Array)
#3 /httpdocs/lib/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract->query('SELECT DISTINCT...', Array)
#4 /httpdocs/lib/Varien/Db/Adapter/Pdo/Mysql.php(419): Zend_Db_Adapter_Pdo_Abstract->query('SELECT DISTINCT...', Array)
#5 /httpdocs/lib/Zend/Db/Adapter/Abstract.php(825): Varien_Db_Adapter_Pdo_Mysql->query(Object(Varien_Db_Select), Array)
#6 /httpdocs/lib/Varien/Data/Collection/Db.php(225): Zend_Db_Adapter_Abstract->fetchOne(Object(Varien_Db_Select), Array)
#7 /httpdocs/app/code/core/Mage/CatalogSearch/Block/Advanced/Result.php(90): Varien_Data_Collection_Db->getSize()
#8 /httpdocs/app/design/frontend/default/bqp/template/catalogsearch/advanced/result.phtml(31): Mage_CatalogSearch_Block_Advanced_Result->getResultCount()
#9 /httpdocs/app/code/core/Mage/Core/Block/Template.php(241): include('/var/www/vhosts...')
#10 /httpdocs/app/code/core/Mage/Core/Block/Template.php(272): Mage_Core_Block_Template->fetchView('frontend/defaul...')
#11 /httpdocs/app/code/core/Mage/Core/Block/Template.php(286): Mage_Core_Block_Template->renderView()
#12 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(867): Mage_Core_Block_Template->_toHtml()
#13 /httpdocs/app/code/core/Mage/Core/Block/Text/List.php(43): Mage_Core_Block_Abstract->toHtml()
#14 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(867): Mage_Core_Block_Text_List->_toHtml()
#15 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(586): Mage_Core_Block_Abstract->toHtml()
#16 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(530): Mage_Core_Block_Abstract->_getChildHtml('content', true)
#17 /httpdocs/app/design/frontend/default/bqp/template/page/2columns-right.phtml(56): Mage_Core_Block_Abstract->getChildHtml('content')
#18 /httpdocs/app/code/core/Mage/Core/Block/Template.php(241): include('/var/www/vhosts...')
#19 /httpdocs/app/code/core/Mage/Core/Block/Template.php(272): Mage_Core_Block_Template->fetchView('frontend/defaul...')
#20 /httpdocs/app/code/core/Mage/Core/Block/Template.php(286): Mage_Core_Block_Template->renderView()
#21 /httpdocs/app/code/core/Mage/Core/Block/Abstract.php(867): Mage_Core_Block_Template->_toHtml()
#22 /httpdocs/app/code/core/Mage/Core/Model/Layout.php(555): Mage_Core_Block_Abstract->toHtml()
#23 /httpdocs/app/code/core/Mage/Core/Controller/Varien/Action.php(390): Mage_Core_Model_Layout->getOutput()
#24 /httpdocs/app/code/core/Mage/CatalogSearch/controllers/AdvancedController.php(59): Mage_Core_Controller_Varien_Action->renderLayout()
#25 /httpdocs/app/code/core/Mage/Core/Controller/Varien/Action.php(419): Mage_CatalogSearch_AdvancedController->resultAction()
#26 /httpdocs/app/code/core/Mage/Core/Controller/Varien/Router/Standard.php(254): Mage_Core_Controller_Varien_Action->dispatch('result')
#27 /httpdocs/app/code/core/Mage/Core/Controller/Varien/Front.php(176): Mage_Core_Controller_Varien_Router_Standard->match(Object(Mage_Core_Controller_Request_Http))
#28 /httpdocs/app/code/core/Mage/Core/Model/App.php(354): Mage_Core_Controller_Varien_Front->dispatch()
#29 /httpdocs/app/Mage.php(683): Mage_Core_Model_App->run(Array)
#30 /httpdocs/index.php(97): Mage::run('', 'store')
#31 {main}