X CLOSE

Enter your email below to sign up for latest updates from Appcheck NG.

CLOSE

Simply complete the info below and we'll send you all you need to activate AppCheck NG and undertake your FREE scan.

Please enter individual IP addresses or ranges

Please enter full URLs for your web applications, and both http and https where appropriate

Critical Security Flaw Patched in Magento Blog Extension (CVE-2015-3428)


Background

The aheadWorks Blog extension for Magento prior to version 1.3.10 is vulnerable to a critical SQL Injection security flaw. A remote unauthenticated attacker could exploit this vulnerability to take complete control of the affected Magento server and database.

With almost 80,000 downloads at the time of writing, the affected component is the most popular blog component available via Magento Connect.

Technical Details

The SQL Injection flaw was discovered using the AppCheck NG scanner during preparation for a security seminar.

The exercise involved configuring several popular CMS platforms including WordPress, Joomla, Drupal and Magento along with the most popular plugins available at the time for each platform.

A default AppCheck NG scan was then performed against each system to demonstrate our ability to discover previously undisclosed security flaws using AppCheck NG.

Among the discovered vulnerabilities was a Blind SQL Injection flaw within the aheadWorks Blog extension component. AppCheck was able to identify the flaw by triggering a measurable time delay using the MySQL “SLEEP()” function. For example, the following URI will trigger a 10 second time delay when accessed using a web browser:

http://magento_site/blog?dir=desc&order=user AND 1=((SELECT 1 FROM (SELECT SLEEP(10))A)) OR 1234=4321

Compared the following URI that will trigger a 2 second delay:

http://magento_site/blog?dir=desc&order=user AND 1=((SELECT 1 FROM (SELECT SLEEP(2))A)) OR 1234=4321

AppCheck NG employs a range of methods to detect blind SQL injection including time delay inference. Each suspected flaw is confirmed through 15 validation cycles to eradicate false positives.

Exploit

The attacker could easily exploit this flaw using publicly available exploit tools such as sqlmap (http://sqlmap.org/). By extracting the username and hashed password from the admin_user table, it is possible to obtain Magento administrator credentials via an offline attack.

A demonstration of this flaw is performed at our free application security seminar. See the following URL for our next event: http://appcheck-ng.com/events/

Solution

This flaw was reported to aheadWorks on the 22nd of April 2015, a fix was made available on the 27th of May 2015 and can be downloaded via Magento Connect.

 

 

 

Privacy Preference Center

Strictly necessary cookies

Cookies that are necessary for the site to function properly.

PHPSESSID, gdpr

Performance Cookies

We use third party cookies to collect site analytic information i.e. number of visitors, popular pages etc.

_ga,_gat,_gid

Close your account?

Your account will be closed and all data will be permanently deleted and cannot be recovered. Are you sure?