Security issue

During a security audit we discovered a SQL injection vulnerability in the "Automatic Related Products 2" module from AheadWorks. This makes it possible to inject SQL query's trough a special prepared URL.

If you want to know if this module is installed on your Magento installation look for the file: app/etc/modules/AW_Autorelated.xml.

Solution

At this moment there is no patched version but you can easily fix it yourself until there is a official fix released by AheadWorks.

In the file app/code/local/AW/Autorelated/controllers/Adminhtml/ Awautorelated/BlocksgridController.php go to the method massStatusAction and change the following:

  1. public function massStatusAction()
  2. {
  3.     $blocksId = $this->getRequest()->getParam('id');
  4.     if (!is_array($blocksId)) {
  5.         Mage::getSingleton('adminhtml/session')->addError($this->__('Please select item(s)'));
  6.     } else {
  7.         try {
  8.             $db = Mage::getSingleton('core/resource')->getConnection('core_write');
  9.             $db->query(
  10.                 'UPDATE `' . Mage::getSingleton('core/resource')->getTableName('awautorelated/blocks')
  11.                  . '` SET `status` = ' . (int)$this->getRequest()->getParam('status')
  12.                 . ' WHERE `id` IN (' . implode(',', $blocksId) . ')'
  13.             );
  14.             $this->_getSession()->addSuccess(
  15.                 $this->__('Total of %d record(s) were successfully updated', count($blocksId))
  16.             );
  17.         } catch (Exception $e) {
  18.             $this->_getSession()->addError($e->getMessage());
  19.         }
  20.     }
  21.     $this->_redirect('*/*/list');
  22. }

to:

  1. public function massStatusAction()
  2. {
  3.     $blocksId = $this->getRequest()->getParam('id');
  4.     if (!is_array($blocksId)) {
  5.         Mage::getSingleton('adminhtml/session')->addError($this->__('Please select item(s)'));
  6.     } else {
  7.         try {
  8.             $blocksId = array_filter( $blocksId, 'is_numeric' );
  9.             $db = Mage::getSingleton('core/resource')->getConnection('core_write');
  10.             $db->query(
  11.                 'UPDATE `' . Mage::getSingleton('core/resource')->getTableName('awautorelated/blocks')
  12.                  . '` SET `status` = ' . (int)$this->getRequest()->getParam('status')
  13.                 . ' WHERE `id` IN (' . implode(',', $blocksId) . ')'
  14.             );
  15.             $this->_getSession()->addSuccess(
  16.                 $this->__('Total of %d record(s) were successfully updated', count($blocksId))
  17.             );
  18.         } catch (Exception $e) {
  19.             $this->_getSession()->addError($e->getMessage());
  20.         }
  21.     }
  22.     $this->_redirect('*/*/list');
  23. }

This filters out all user supplied values that are not nummeric and thus can contain SQL code.

If you need any help with applying this patch, please contact us.