M

MD Quickview RCE vulnerability

RCE vulnerability in MD Quickview extension

MD Quickview extension (also distributed as Smartwave/Quickview or Sns/Quickview and similar Quickview extensions with various design themes such as Smartwave Porto or Sns Nova) is vulnerable to SQL injection. The vulnerability allows a remote attacker to take complete control over infected store after a single URL call. If you have Quickview extension installed in your shop please consider to immediately disable it and uninstall or patch later.

This SQL RCE vulnerability was listed in Magento’s security report from April 26, 2016 and we still see it unpatched on a number of infected stores.

Typical fix is to escape SQL code in IndexController.php:
@@ -18,8 +18,9 @@
         $tableName = Mage::getSingleton('core/resource')->getTableName('core_url_rewrite');
         $write = Mage::getSingleton('core/resource')->getConnection('core_write');
 
-        $query = "select MAIN_TABLE.`product_id` from `{$tableName}` as MAIN_TABLE where MAIN_TABLE.`request_path` in('{$path}')";
-        $readresult=$write->query($query);
+        $query = "select MAIN_TABLE.`product_id` from `{$tableName}` as MAIN_TABLE where MAIN_TABLE.`request_path` in(:path)";
+        $binds = array( 'path' => $path );
+        $readresult=$write->query($query,$binds);
         if ($row = $readresult->fetch() ) {
             $productId=$row['product_id'];
         }
MD Quickview RCE vulnerability
30 votes, 4.00 avg. rating (80% score)
  • Nafiz

    how do i patch it?

  • Scode

    Hi Magentary. Occasionally when I run your patch tester it says my webstore has MD Quickview & EM Quickshop vulnerabilities. However when testing again that disappears and most scans don’t return it. I just see it every so often. Should I be concerned?

    In Magento backend System – Config – Advanced – Advanced I don’t see the two of them in the modules list. Would they be there if I had them? Thanks for clarifying.

    • magentary

      No, your store is not vulnerable, however there is possible resource shortage on server or other issues, resulting in sporadic errors on various pages. I would suggest you to check var/report directory and to monitor store state during peak hours.
      False positive result in tester comes from “501 Internal error” or “503 Temporarily unavailable” response from your server on probe result.