S

Smartwave QuickView SQL injection vulnerability

Smartwave/Quickview extension (also distributed as Sns/Quickview and similar Quickview extensions with various design themes such as Smartwave Porto or Sns Nova) is vulnerable to SQL injection. The vulnerability allows a remote attacker to take complete control over infected store after a single URL call. If you have Quickview extension installed in your shop and our scan tool indicated that your store is vulnerable, please consider to immediately disable the extension and uninstall or patch it later.

This SQL RCE vulnerability was listed in Magento’s security report from April 26, 2016 and we still see it unpatched on a number of infected stores.

Typical fix is to escape SQL code in IndexController.php:
@@ -18,8 +18,9 @@
         $tableName = Mage::getSingleton('core/resource')->getTableName('core_url_rewrite');
         $write = Mage::getSingleton('core/resource')->getConnection('core_write');
 
-        $query = "select MAIN_TABLE.`product_id` from `{$tableName}` as MAIN_TABLE where MAIN_TABLE.`request_path` in('{$path}')";
-        $readresult=$write->query($query);
+        $query = "select MAIN_TABLE.`product_id` from `{$tableName}` as MAIN_TABLE where MAIN_TABLE.`request_path` in(:path)";
+        $binds = array( 'path' => $path );
+        $readresult=$write->query($query,$binds);
         if ($row = $readresult->fetch() ) {
             $productId=$row['product_id'];
         }
Smartwave QuickView SQL injection vulnerability
7 votes, 5.00 avg. rating (98% score)