AheadWorks - Automatic Related Products - Security issue

Security issue

During a security audit we discovered a SQL injection vulnerability in the "Automatic Related Products 2" module from AheadWorks. This makes it possible to inject SQL query's trough a special prepared URL.

If you want to know if this module is installed on your Magento installation look for the file: app/etc/modules/AW_Autorelated.xml.

Solution

At this moment there is no patched version but you can easily fix it yourself until there is a official fix released by AheadWorks.

In the file app/code/local/AW/Autorelated/controllers/Adminhtml/ Awautorelated/BlocksgridController.php go to the method massStatusAction and change the following:

129. public function massStatusAction()
130. {
131.     $blocksId = $this->getRequest()->getParam('id');
132.     if (!is_array($blocksId)) {
133.         Mage::getSingleton('adminhtml/session')->addError($this->__('Please select item(s)'));
134.     } else {
135.         try {
136.             $db = Mage::getSingleton('core/resource')->getConnection('core_write');
137.             $db->query(
138.                 'UPDATE `' . Mage::getSingleton('core/resource')->getTableName('awautorelated/blocks')
139.                  . '` SET `status` = ' . (int)$this->getRequest()->getParam('status')
140.                 . ' WHERE `id` IN (' . implode(',', $blocksId) . ')'
141.             );
142.             $this->_getSession()->addSuccess(
143.                 $this->__('Total of %d record(s) were successfully updated', count($blocksId))
144.             );
145.         } catch (Exception $e) {
146.             $this->_getSession()->addError($e->getMessage());
147.         }
148.     }
149.     $this->_redirect('*/*/list');
150. }

to:

129. public function massStatusAction()
130. {
131.     $blocksId = $this->getRequest()->getParam('id');
132.     if (!is_array($blocksId)) {
133.         Mage::getSingleton('adminhtml/session')->addError($this->__('Please select item(s)'));
134.     } else {
135.         try {
136.             $blocksId = array_filter( $blocksId, 'is_numeric' );
137.             $db = Mage::getSingleton('core/resource')->getConnection('core_write');
138.             $db->query(
139.                 'UPDATE `' . Mage::getSingleton('core/resource')->getTableName('awautorelated/blocks')
140.                  . '` SET `status` = ' . (int)$this->getRequest()->getParam('status')
141.                 . ' WHERE `id` IN (' . implode(',', $blocksId) . ')'
142.             );
143.             $this->_getSession()->addSuccess(
144.                 $this->__('Total of %d record(s) were successfully updated', count($blocksId))
145.             );
146.         } catch (Exception $e) {
147.             $this->_getSession()->addError($e->getMessage());
148.         }
149.     }
150.     $this->_redirect('*/*/list');
151. }

This filters out all user supplied values that are not nummeric and thus can contain SQL code.

If you need any help with applying this patch, please contact us.

AheadWorks released a new version that fixed this security issue. If you have version 2.5.1 or later installed you are safe from this specific security leak.

21 maart 2019 Martien Mortiaux

• Magento
• bug
• programming
• security