SB2019032905 - SQL injection in Magento, Magento Open Source

Description

This security bulletin contains information about 1 security vulnerability.

1) SQL injection (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via "ids[0][product_id][to]" HTTP GET parameter to "/catalog/product_frontend_action/synchronize" URL. A remote non-authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Exploitation example:

http://[host]/catalog/product_frontend_action/synchronize?
    type_id=recently_products&
    ids[0][added_at]=&
    ids[0][product_id][from]=?&
    ids[0][product_id][to]=))) OR (SELECT 1 UNION SELECT 2 FROM DUAL WHERE 1=1) -- -	

Remediation

Install update from vendor's website.

References

• https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update
• https://www.ambionics.io/blog/magento-sqli