Critical security vulnerabilities in Magento's commercial and open source platforms have left over 300,000 e-commerce websites exposed to remote code execution, SQL injection and cross-site scripting that allowed cyber criminals to skim credit card data of millions of online shoppers.
While many of almost three dozen vulnerabilities can be exploited only if an attacker authenticates himself/herself on an e-commerce website, one of these vulnerabilities that allows an attacker to carry out SQL injection does not require any authentication on part of the attacker.
By carrying out SQL injection in a targeted e-commerce website that uses Magento's commercial or open source platform, attackers can inject their own commands to an SQL database and transfer sensitive data available on the database to a remote server. Such data may include credit card numbers and other personal details of people who made online purchases on the targeted site.
To patch these vulnerabilities, Magento has rushed in three new versions of its code- Commerce and Open Source 2.3.1, 2.2.8 and 2.1.17- to prevent hackers from carrying out SQL injection to gain access to sensitive data. The vulnerability, dubbed PRODSECBUG-2198, affects Magento Open Source versions prior to 126.96.36.199, and Magento Commerce versions prior to 188.8.131.52, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, and Magento 2.3 prior to 2.3.1.
"A SQL injection vulnerability has been identified in pre-2.3.1 Magento code. To quickly protect your store from this vulnerability only, install patch PRODSECBUG-2198. However, to protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. We strongly suggest that you install these full patches as soon as you can," the company said.
Commenting on the discovery of the SQL injection vulnerability in Magento's e-commerce platform that does not require any authentication, Eoin Keary, CEO and co-founder of edgescan, told SC Magazine UK that SQL injection vulnerability is a result of poor coding skills and lack of awareness on part of developers.
Keary said that even though almost all coding languages and technologies have the ability to create safe data base code which is not vulnerable to SQL injection, poor coding standards and the use of legacy code on web systems globally have ensured that web applications are still featuring SQL injection flaws.
"An important aspect of SQL injection is also the level of privilege the web application has when accessing the database. By default, many web applications have high privileges access to databases. SQL injections attacks use the same level as privilege as the web applications. In order to maintain some resilience, the privilege level must be "least privilege" such that the SQL injection attacker does not have a high level of privilege when accessing the database," he added.
Ilia Kolochenko, CEO of High-Tech Bridge, said that unless e-commerce platforms immediately patch their applications with the latest patches issued by Magento, the SQL injection flaw could lead to one of the most disastrous web hacking campaigns as Magento is mostly used on trusted e-commerce websites and thus opens a door to a great wealth of sensitive PII including valid credit cards details.
"The most dangerous flaw is SQL injection that can be exploited without any pre-conditions, being sufficient to steal the entire database and likely take control over the vulnerable website and web server. Sophisticated malware infections may plague gutted websites once all valuable data is stolen," he warned.
"All Magento website owners should urgently update their systems and check the web server and all other available logs for IoC (indicator of compromise). In case of a merest suspicion, detailed forensics should be conducted to determine whether the system was breached. These days, cyber-criminals know how to cover their tracks, however, they may unwittingly suppress too much evidence and thereby expose their presence," he added.
Onilab, an official Magento development partner has subsequently contacted SC Media UK to alert readers that the latest Magento updates deal with a lot more issues than the SQL injection mentioned - 37 security issues altogether. They add that it's essential that webmasters and store owners update ASAP and have provided information about the March 2019 updates and how to install them here.