Thought leadership. threat analysis, news and alerts.
Magento SQL Injection Flaw Puts E-Commerce Sites at Risk
Magento, an Adobe-owned company that promotes its e-commerce platform to have more than $155 billion in gross merchandise transaction volume annually, has called on online stores using its platform to install the company’s latest update as protection from a host of critical flaws.
Last March 26, Magentoannounced that it fixed 37 security vulnerabilities on its e-commerce platform. Out of the 37 vulnerabilities fixed by Magento through its security update, 4 vulnerabilities have a base score range between 9 to 9.8. Under the v3.0 standards of the Common Vulnerability Scoring System, base scores from 9 to 10 are considered as “critical.”
Out of the 37 vulnerabilities fixed by Magento through its latest security update, one vulnerability called PRODSECBUG-2198 stands out, not only because it’s one of the 4 vulnerabilities labeled as critical, but also because the exploit of this vulnerability is now out in the wild. Armed with this publicly available exploit, any day now PRODSECBUG-2198 vulnerability could be exploited by malicious actors.
PRODSECBUG-2198 bug is a SQL injection vulnerability found in Magento Open Source prior to 126.96.36.199, and Magento Commerce prior to 188.8.131.52, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1. According to Magento, PRODSECBUG-2198 bug, also known as “SQL Injection vulnerability through an unauthenticated user” allows an unauthenticated user to execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage.
According to Charles Fol of Ambionics, the one who reported the PRODSECBUG-2198 bug way back in November 2018, in a blog postsaid that the bug involves a minor mistake in the small piece of code of Magento. “This mistake, albeit minor, is very impactful …,” Fol said. “Surprisingly enough, this piece of code has been present since Magento 1.x !”
Ambionics also posted on GitHuba proof of concept on how the discovered mistake in the small piece of Magento code can be exploited. The publication of this proof of concept means that online stores using the Magento platform that haven’t installed the latest Magento update are at risk of this particular exploit.
The risk of SQL injection vulnerability through an unauthenticated user has a far-reaching effect.
What Is SQL Injection?
SQL, which stands for Structured Query Language, is a standard programming language for accessing databases. SQL injection, meanwhile, is one of the most common web hacking techniques. This form of attack was ranked by the Open Web Application Security Project (OWASP)in 2017 as the number one threat to web applications.
“Injection flaws, such as SQL … occur when untrusted data is sent to an interpreter as part of a command or query,” OWASP said. “The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.”
SQL injection was first documentedin 1998 by Jeff Forristal, also known by the alias Rain Forrest Puppy, now the CTO of mobile security vendor Bluebox Security. For years, many cyberattacks had been made possible through SQL injection. The cyberattacks on Sony in 2011 and TalkTalk in 2015 are some of the notable cyberattacks that used SQL injection as a weapon.
According to the Federal Bureau of Investigation (FBI), the cyberattack on Sony Pictures Entertainment between May 27, 2011 to June 2, 2011 in which attackers obtained confidential information from Sony Pictures’ computer systems was done using an SQL injection attack against Sony’s website.
In October 2016, UK’s Information Commissioner Office (ICO)fined TalkTalk for £400,000 (the company though settled the case for £320,000) for a cyber incident in October 2015 which led to the illegal accessed of personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers, email addresses, as well as bank account details of 15,656 customers.
“The attack [October 2015 cyber incident on TalkTalk] was an SQL injection attack, a common type of cyber attack that has been well-understood … and for which known defences exist,” ICO said. “The investigation found there had been two previous SQL injection attacks on 17 July 2015 and between 2-3 September 2015 but TalkTalk did not take any action due to a lack of monitoring of the webpages.”
Specific to Magento’s PRODSECBUG-2198 bug, online stores using the Magento platform, specifically Magento Open Source prior to 184.108.40.206, and Magento Commerce prior to 220.127.116.11, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 need to install the company’s latest update to prevent SQL injection attacks.
In general, e-commerce sites, regardless of the platform used, are attractive targets to hackers due to the fact that personal and payment information is required to complete a sale. SQL injection is a common weapon used by cyber attackers to compromise these e-commerce sites. Here are some security best practices that will harden your e-commerce site against SQL injection attacks:
Preventing SQL injections attacks is easy, as long as you engage application security experts that understand your cybersecurity challenges and business goals delivering the right solution that works for you.
Contact ustoday and protect your web application against common threats in minutes without the need for capital investment or IT support.
Steve E. Driz, I.S.P., ITCP