Magento 2 – SQL injection bug
Once again Magento 2 is under attack. A serious SQL injection bug was detected and fixed in current Magento 2 version. If you already have a Magento 2 shop online it is important to update its core now. If this is not possible for you, Magento offers a bugfix – first time!
Magento 2 – SQL injection bug
Magento Commerce and Open Source 2.3.1, 2.2.8 and 2.1.17 are out now with a bunch of updates related to security. One major bug is a leak for SQL injections. With a currently not known (but fixed with update) injection it is possible to read out Magento 2 database. It is known, that it has something to do with
1 | /catalog/product/frontend_action_synchronize |
you can find all details about it in current bugfix.
Updates and bugfix
Normally Magento only offers updates of Magento 2 core that fixes current know and reported security leaks. This time there is also PRODSECBUG-2198, a fix only for this SQL injection. This bugfix was created for live systems that can not be updated immediatelly. So this time you have no excuse for not fixing this bug!
What is a SQL injection?
With an SQL injection it is possible to send a SQL statement over PHP code to a database. You will get the response printed out on Magento’s frontend site. If you print out various tables it is possible to collect data from whole database. Normally it is not possible to directly call SQL statements from outside, but sometimes PHP code does not cover SQL injections. Broken input fields are the major source of such attacks. In case of Magento it can also be possible to write SQL statements into browser URL – for example as additional param. It seems, that there is such a missing param check in frontend_action_synchronize method.
Conclusion
Save your shop! Install SQL injection bugfix immediately of update you Magento 2 core version. See Magento patch SUPEE-11086 for further information about Magento 1 problem.