M

MD Quickview RCE vulnerability

RCE vulnerability in MD Quickview extension

MD Quickview extension (also distributed as Smartwave/Quickview or Sns/Quickview and similar Quickview extensions with various design themes such as Smartwave Porto or Sns Nova) is vulnerable to SQL injection. The vulnerability allows a remote attacker to take complete control over infected store after a single URL call. If you have Quickview extension installed in your shop please consider to immediately disable it and uninstall or patch later.

This SQL RCE vulnerability was listed in Magento’s security report from April 26, 2016 and we still see it unpatched on a number of infected stores.

Typical fix is to escape SQL code in IndexController.php:
@@ -18,8 +18,9 @@
         $tableName = Mage::getSingleton('core/resource')->getTableName('core_url_rewrite');
         $write = Mage::getSingleton('core/resource')->getConnection('core_write');
 
-        $query = "select MAIN_TABLE.`product_id` from `{$tableName}` as MAIN_TABLE where MAIN_TABLE.`request_path` in('{$path}')";
-        $readresult=$write->query($query);
+        $query = "select MAIN_TABLE.`product_id` from `{$tableName}` as MAIN_TABLE where MAIN_TABLE.`request_path` in(:path)";
+        $binds = array( 'path' => $path );
+        $readresult=$write->query($query,$binds);
         if ($row = $readresult->fetch() ) {
             $productId=$row['product_id'];
         }
41 votes, 4.98 avg. rating (98% score)