This SQL RCE vulnerability was listed in Magento’s security report from April 26, 2016 and we still see it unpatched on a number of infected stores.
Typical fix is to escape SQL code in IndexController.php:
@@ -18,8 +18,9 @@ $tableName = Mage::getSingleton('core/resource')->getTableName('core_url_rewrite'); $write = Mage::getSingleton('core/resource')->getConnection('core_write'); - $query = "select MAIN_TABLE.`product_id` from `{$tableName}` as MAIN_TABLE where MAIN_TABLE.`request_path` in('{$path}')"; - $readresult=$write->query($query); + $query = "select MAIN_TABLE.`product_id` from `{$tableName}` as MAIN_TABLE where MAIN_TABLE.`request_path` in(:path)"; + $binds = array( 'path' => $path ); + $readresult=$write->query($query,$binds); if ($row = $readresult->fetch() ) { $productId=$row['product_id']; }