There’s a critical vulnerability in the popular Magento software used by many online commerce sites that can allow an attacker with no authentication or privileges on the site at all to steal sensitive data.
The SQL injection vulnerability is in several different versions of the Magento, including both the commercial and open-source releases, and researchers warn that it could lead to automated attacks against vulnerable sites. Magento is one of the top providers of e-commerce software and sites of all sizes use the platform. The newly disclosed vulnerability is particularly dangerous, as it doesn’t require any authentication and is within reach of even low-level attackers.
Magento, which is part of Adobe, said in its advisory that the vulnerability affects Magento Open Source prior to 1.9.4.1 and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, and Magento 2.3 prior to 2.3.1.
“An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage,” the Magento advisory says.
Researchers at security vendor Sucuri said they had reverse-engineered the Magento patch for this flaw and were able to develop a proof-of-concept exploit for it. The company isn’t releasing the exploit or any of the specific technical details of the vulnerability.
“SQL Injections allow an attacker to manipulate site arguments to inject their own commands to an SQL database (Oracle, MySQL, MariaDB, MSSQL). Through this vulnerability they can retrieve sensitive data from an affected site’s database, including usernames and password hashes,” Marc-Alexandre Montpas of Sucuri said.
“Unauthenticated attacks, like the one seen in this particular SQL Injection vulnerability, are very serious because they can be automated — making it easy for hackers to mount successful, widespread attacks against vulnerable websites. The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.”
The disclosure of the SQL injection vulnerability in Magento comes at a highly inopportune time for e-commerce site owners. There are a number of cybercrime groups active at the moment that specialize in compromising online retail platforms and installing specialized skimming software designed to identify and grab payment card information. The Magecart group--which is actually several individual groups that employ similar tactics and tools--is probably the best known and most closely studied among researchers. Some factions of Magecart target specific platforms, while others go after third-party library suppliers in order to compromise as many sites as possible in one go.
Magecart got its start by targeting sites running Magento’s platform, in fact.
“We saw the infrastructure set up as early as 2014 and they would breach Magento sites and modify the PHP code to install the skimmer. But they would make mistakes,” Yonathan Klijnsma of RiskIQ said in November when the company published a report on Magecart. “Then they moved a JavaScript version, which is more lightweight and not as impactful on the site. We saw them make small mistakes, but they learned. We saw them figuring out how to do all of this.”
In addition to the patch for the SQL injection vulnerability, Magento also released fixes for many other vulnerabilities in its platform, including several that allow arbitrary code execution. However, most of those vulnerabilities require authentication in order to exploit them.