Is my site open to MySQL injection?

Question

As I was updating ready for installing the new patches on a site I have inherited, I found this in my reports:

a:5:{i:0;s:313:"SQLSTATE[23000]: Integrity constraint violation: 1452 Cannot add or update a child row: a foreign key constraint fails (`__COMPANYNAME___magento`.`__COMPANYNAME__catalog_compare_item`, CONSTRAINT `FK___COMPANYNAME__CAT_CMP_ITEM_PRD_ID___COMPANYNAME__CAT_PRD_ENTT_ENTT_ID` FOREIGN KEY (`product_id`) REFERENCES `__COMPANYNAME__catalog_product_entit)";i:1;s:2270:"#0 lib/Varien/Db/Statement/Pdo/Mysql.php(110): Zend_Db_Statement_Pdo->_execute(Array)
#1 app/code/core/Zend/Db/Statement.php(291): Varien_Db_Statement_Pdo_Mysql->_execute(Array)
#2 lib/Zend/Db/Adapter/Abstract.php(480): Zend_Db_Statement->execute(Array)
#3 lib/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract->query('INSERT INTO `ge...', Array)
#4 lib/Varien/Db/Adapter/Pdo/Mysql.php(428): Zend_Db_Adapter_Pdo_Abstract->query('INSERT INTO `ge...', Array)
#5 lib/Zend/Db/Adapter/Abstract.php(576): Varien_Db_Adapter_Pdo_Mysql->query('INSERT INTO `ge...', Array)
#6 app/code/core/Mage/Core/Model/Resource/Db/Abstract.php(453): Zend_Db_Adapter_Abstract->insert('__COMPANYNAME__catalog...', Array)
#7 app/code/core/Mage/Core/Model/Abstract.php(318): Mage_Core_Model_Resource_Db_Abstract->save(Object(Mage_Catalog_Model_Product_Compare_Item))
#8 app/code/core/Mage/Catalog/Model/Product/Compare/List.php(51): Mage_Core_Model_Abstract->save()
#9 app/code/core/Mage/Catalog/Model/Product/Compare/List.php(67): Mage_Catalog_Model_Product_Compare_List->addProduct('http:')
#10 app/code/core/Mage/Catalog/controllers/Product/CompareController.php(63): Mage_Catalog_Model_Product_Compare_List->addProducts(Array)
#11 app/code/core/Mage/Core/Controller/Varien/Action.php(418): Mage_Catalog_Product_CompareController->indexAction()
#12 app/code/core/Mage/Core/Controller/Varien/Router/Standard.php(254): Mage_Core_Controller_Varien_Action->dispatch('index')
#13 app/code/core/Mage/Core/Controller/Varien/Front.php(172): Mage_Core_Controller_Varien_Router_Standard->match(Object(Mage_Core_Controller_Request_Http))
#14 app/code/core/Mage/Core/Model/App.php(354): Mage_Core_Controller_Varien_Front->dispatch()
#15 app/Mage.php(684): Mage_Core_Model_App->run(Array)
#16 index.php(87): Mage::run('', 'store')
#17 {main}";s:3:"url";s:329:"/catalog/product_compare/index/items/244,http://some-inexistent-website.acu/some_inexistent_file_with_long_name%3F.jpg,246,251,253,254,255,256,257,258,264,266,267,268,269,271,272,273,274,275,276,277,278,287,339/uenc/aHR0cDovL3d3dy5nZWxwYWNrc2RpcmVjdC5jby51ay9jYXRhbG9nc2VhcmNoL3Jlc3VsdC9pbmRleC8_bW9kZT1saXN0JnE9aWNlJTIwd3JhcA,,/";s:11:"script_name";s:10:"/index.php";s:4:"skin";s:7:"default";}

By accessing the url example.com/catalog/product_compare/index/items/244,http://some-inexistent-website.acu/some_inexistent_file_with_long_name%3F.jpg,246,251,253,254,255,256,257,258,264,266,267,268,269,271,272,273,274,275,276,277,278,287,339/uenc/aHR0cDovL3d3dy5nZWxwYWNrc2RpcmVjdC5jby51ay9jYXRhbG9nc2VhcmNoL3Jlc3VsdC9pbmRleC8_bW9kZT1saXN0JnE9aWNlJTIwd3JhcA,,/

I would have thought it would fail before getting to the MySQL error and this is not normal, although everything is the stack trace is from the Core codepool.

Magento version is CE 1.9.0.1

Answer 1

First thing: I can reproduce your issue with Magento CE 1.9.0.1.

The indexAction in Mage_Catalog_Product_CompareController takes 2 parameters from the request: items and uenc.

• Items is can have multiple entries, seperated by a comma (,).

• Uenc is the decoded value of the url which was accessed before the compare. I don't disclose it here and it is actually not necessary for the rest.

The items

Continuing with the items: Actually the values it tries to insert are 244,,http: as the slash is treated as a seperator for the other parameters. The addProducts and then addProduct function of Mage_Catalog_Model_Product_Compare_List try to load the product by id. As the loading of a product with the id http: fails, it tries to add this to the product compare list which fails as it is not a valid product entity_id.

The product_id column of the catalog_compare_item is an integer value which has a foreign key set to the entity_id column of the catalog_product_entity table.

So actually you won't be able to insert any random data here as the foreign key checks if the product with the given id is present in the database.

I would have thought it would fail before getting to the MySQL error

I agree. It's not a very nice way of input validation and sanitizing. It should not be possible for non-numeric values to be processed that far and trying to be inserted into the database.

Anyway you won't be able to insert any non-numeric values which are not present in the product table as entity id.