Magento's Latest Patches Should Be Applied ImmediatelySQL Injection Flaw Can Be Exploited Without Authentication, Privileges
If you run a Magento-powered e-commerce site, it's time to patch again.
See Also: Third-Party Risk to the Nth Degree
Magento, which is part of Adobe, has released a patch that repairs several serious vulnerabilities, one of which requires no authentication and is easy to exploit, writes Marc-Alexandre Montpas of Sucuri, a website security company.
Magento is one of the most popular e-commerce platforms; it reports that it was used for $155 billion in commerce in 2018, and more than 300,000 businesses and merchants use its software, including companies such as Coca Cola, liquor retailer BevMo! and Tom Dixon, a home furnishings retailer.
Most of the vulnerabilities require the attacker to be authenticated within the site or some level of privilege. But one is a SQL injection vulnerability that can be exploited without authentication or privileges, Montpas writes.
"Unauthenticated attacks, like the one seen in this particular SQL injection vulnerability, are very serious because they can be automated - making it easy for hackers to mount successful, widespread attacks against vulnerable websites," Montpas writes. "The number of active installs, the ease of exploitation and the effects of a successful attack are what makes this vulnerability particularly dangerous."
The SQL injection flaw could be used to pull usernames and hashed passwords from databases such as Oracle and MySQL. The patch for this vulnerability, PRODSECBUG-2198, should be applied immediately. A full list of the flaws is available in Magento's advisory.
"Given the sensitive nature of the data Magento ecommerce sites handle on a daily basis, this is a security threat that should be patched by affected site owners as soon as possible," Montpas writes.
No in the Wild Attacks Yet
Sucuri reverse engineered the patch to figure out what it fixed. The flaws include cross-site request forgery, cross-site scripting, SQL injection and remote code execution. On the bright side, Sucuri says it hasn't seen any attacks yet in the wild, but it's not releasing its proof-of-concept exploit.
"Due to the risk this vulnerability represents, and the fact we are not seeing attacks in the wild yet, we will refrain from publishing any technical details for the time being," Montpas writes.
"Unauthenticated attacks, like the one seen in this particular SQL injection vulnerability, are very serious because they can be automated - making it easy for hackers to mount successful, widespread attacks against vulnerable websites."
— Marc-Alexandre Montpas, Sucuri
The vulnerabilities are present within the open source and commercial versions of Magento. Magento advised that users should upgrade to versions 2.3.1 or 2.2.8.
Montpas recommended checking the "access_log" file to see how many times there's been a request to this path: "/catalog/product/frontend_action_synchronize."
"An occasional hit to that path may indicate a legitimate request, but more than a couple of dozen hits from the same IP in a few minutes should be considered suspicious," he writes.
Card-Sniffers: All the Rage
E-commerce websites are under a relentless assault by criminal groups specializing in slipping payment card skimming malware into sites. Security vendors, including RiskIQ, Sucuri and Group-IB and others, have been tracking groups and techniques.
Because there are so many e-commerce websites, there are a rich array of targets, which increases the chances of finding a weak one as opposed to, say, attacking payment processors. The attacks can be tricky to detect and may run from a single line of code.
Although attacking e-commerce sites is nothing new, cybercriminal groups have developed clever methods to harvest payment card data. They do this by directly subverting payment software within the site, but another avenue is infiltrating third-party e-commerce software tools.
Ticketmaster, for example, fell victim to an attack that subverted chatbot software from Inbenta Technologies. Attackers modified a script within the chatbot software, which then collected names, addresses, email addresses, phone numbers, payment details and login details. Ticketmaster and Inbenta differed over who was to blame.
Security company RiskIQ discovered that another third-party tool, within a marketing and analytics service called SociaPlus, had also been used to steal payment card details submitted to Ticketmaster (see: RiskIQ: Ticketmaster Hackers Compromised Widely Used Tools).
Other recent victims have included British Airways and e-commerce site Newegg (see: Hacker Flies Away With British Airways Customer Data).
A malicious script was placed on the payment-processing page itself and would have been activated after someone added an item to a cart and entered a validated email address, RiskIQ said.