Critical Magento SQL Injection Flaw Could Soon Be Targeted By Hackers

itwbennett writes: The popular e-commerce platform Magento has released 37 security issues affecting both the commercial and open-source versions, four of which are critical. 'Of those, one SQL injection flaw is of particular concern for researchers because it can be exploited without authentication,' writes Lucian Constantine for CSO. Researchers from Web security firm Sucuri 'have already reverse-engineered the patch [for that flaw] and created a working proof-of-concept exploit for internal testing' says Constantin. 'The SQL vulnerability is very easy to exploit, and we encourage every Magento site owner to update to these recently patched versions to protect their ecommerce websites,' the researchers warn in a blog post.

What do you mean soon?

[Just+A+Gigolo]

It has been zero day for ages!

Re: What do you mean soon?

Malware bytes gnashes teeth, moves on to lesser vulnerabilities requiring 100 lines of code or less

Re: What do you mean soon?

Good, cheap, or fast. Pick two of the three

They released patches.

You can't release issues.

Re: They released patches.

Really?

Re:They released patches.

Regression bug you dumb cunt

Adobe

[WaffleMonster]

Stopped reading after "Magento, an Adobe-owned company". It's not necessary to add any additional details to this article.

perfection is possible

[phantomfive]

This is one of the places perfection is possible, even easy. There are many methods for avoiding SQL injections, so choose a method and stick with it. Don't let this happen to you, be perfect.

Re:perfection is possible

Went and looked at some of these SQL injections in "Magento." It's exactly what you'd expect; typical slapdash string concatenation/substitution. Nothing parameterized, nothing quoted properly. All the pradeeps and sanjays you'd expect to find among the commiters.

Re: perfection is possible

Well, yeah the software is so simple it isn't even Turing complete. Check out the equivalent oracle release notes for a real chuckle. Real IT people like simple notes

Re:perfection is possible

Went and looked at some of these SQL injections in "Magento." It's exactly what you'd expect; typical slapdash string concatenation/substitution. Nothing parameterized, nothing quoted properly. All the pradeeps and sanjays you'd expect to find among the commiters.

I looked at the top committers on Github for the Magento/Magento2 project and they look like eastern European names to me... what repository did you look at?

Re:perfection is possible

Many of the third party extension developers for Magento 1.x and 2.x platforms are Indian, and there are a few that are very knowledgeable of the platform and quick to understand business cases and provide patches/guidance for their software. The core M2 developers seem to mostly be East European but are sprinkled quite a bit around the globe. Magento has very broad support for a variety of tax-related use cases which makes it an extremely popular offering for sites that need to support international and cross-currency sales. It would be easy to come to quick assumptions about the platform and its base if you only looked in one direction and not very deeply.

Re:perfection is possible

I've looked at the official Magento security update notes on this, and I can't see anything which indicates it is relating to only extensions, but rather the core product.
Surely if this could be isolated to some poorly written extensions then they would list those?
Still not seeing the "Indian submitters are responsible" connection as claimed.