Critical Security Flaw Patched in Magento Blog Extension (CVE-2015-3428)

Critical Security Flaw Patched in Magento Blog Extension

Background

The aheadWorks Blog extension for Magento prior to version 1.3.10 is vulnerable to a critical SQL Injection security flaw. A remote unauthenticated attacker could exploit this vulnerability to take complete control of the affected Magento server and database.

With almost 80,000 downloads at the time of writing, the affected component is the most popular blog component available via Magento Connect.

Technical Details

The SQL Injection flaw was discovered using the AppCheck scanner during preparation for a security seminar.

The exercise involved configuring several popular CMS platforms including WordPress, Joomla, Drupal and Magento along with the most popular plugins available at the time for each platform.

A default AppCheck scan was then performed against each system to demonstrate our ability to discover previously undisclosed security flaws using AppCheck.

Among the discovered vulnerabilities was a Blind SQL Injection flaw within the aheadWorks Blog extension component. AppCheck was able to identify the flaw by triggering a measurable time delay using the MySQL “SLEEP()” function. For example, the following URI will trigger a 10 second time delay when accessed using a web browser:

http://magento_site/blog?dir=desc&order=user AND 1=((SELECT 1 FROM (SELECT SLEEP(10))A)) OR 1234=4321

Compared the following URI that will trigger a 2 second delay:

http://magento_site/blog?dir=desc&order=user AND 1=((SELECT 1 FROM (SELECT SLEEP(2))A)) OR 1234=4321

AppCheck NG employs a range of methods to detect blind SQL injection including time delay inference. Each suspected flaw is confirmed through 15 validation cycles to eradicate false positives.

Exploit

The attacker could easily exploit this flaw using publicly available exploit tools such as sqlmap (http://sqlmap.org/). By extracting the username and hashed password from the admin_user table, it is possible to obtain Magento administrator credentials via an offline attack.

A demonstration of this flaw is performed at our free application security seminar.

Solution

This flaw was reported to aheadWorks on the 22nd of April 2015, a fix was made available on the 27th of May 2015 and can be downloaded via Magento Connect.