Add to Compare: is there known exploitation?

Question

Last week, one of my site received a bruteforce attack. When I check log/reports, I see this in my report:

a:5:{i:0;s:313:"SQLSTATE[23000]: Integrity constraint violation: 1452 Cannot add or update a child row: a foreign key constraint fails (DB_Name.catalog_compare_item, CONSTRAINT FK_CAT_CMP_ITEM_PRD_ID_CAT_PRD_ENTT_ENTT_ID FOREIGN KEY (product_id) REFERENCES catalog_product_entity (entity_id) ON DELETE CA)";i:1;s:2627:"#0 /lib/Varien/Db/Statement/Pdo/Mysql.php(110): Zend_Db_Statement_Pdo->_execute(Array)

{main}";s:3:"url";s:451:"/catalog/product_compare/index/items/495,543,1957,1960,1963,2192,2195,2593,2643,5656,5659,5663,5667,5670,6913,6914,6915,6916,6917,6918,6919,6920,6964,6965,6966,6967,6968,6969,6970,6971,6975,6978,6979,6980,6986,8319,9386,9397,9467,9470,9473,9476,9895,..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afetc/passwd/uenc/aHR0cHM6Ly93d3cuZGlnaXRhbGNpbmVtYS5jb20uYXUvY2xlYXJhbmNlP3Bvd2VyX2FtcF9zcGVha2VyX2NoYW5uZWw9MzAxJmFtcDtwcmljZT0xNTAwLQ,,/";s:11:"script_name";s:10:"/index.php";s:4:"skin";s:7:"default";}

Interestingly, these lines are different for each report:

/%5c../%5c../%5c../%5c../%5c../%5c../%5c../etc/passwd/uenc/

..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afetc/passwd/uenc

Are there any known vulnerability in compare function? How can we deal with this?

Answer 1

The indexAction of the Product Compare Controller does an $items = explode(',', $items); on all the items sent via URL. This means ,..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afetc/passwd would be treated as one of the items. These items are added to the catalog/product_compare_list where in the items of $items are treated as product id's.

class Mage_Catalog_Model_Product_Compare_List extends Varien_Object
{
    /**
     * Add product to Compare List
     *
     * @param int|Mage_Catalog_Model_Product $product
     * @return Mage_Catalog_Model_Product_Compare_List
     */
    public function addProduct($product)
    {
        /* @var $item Mage_Catalog_Model_Product_Compare_Item */
        $item = Mage::getModel('catalog/product_compare_item');
        $this->_addVisitorToItem($item);
        $item->loadByProduct($product);

        if (!$item->getId()) {
            $item->addProductData($product);
            $item->save();
        }

        return $this;
    }

    /**
     * Add products to compare list
     *
     * @param array $productIds
     * @return Mage_Catalog_Model_Product_Compare_List
     */
    public function addProducts($productIds)
    {
        if (is_array($productIds)) {
            foreach ($productIds as $productId) {
                $this->addProduct($productId);
            }
        }
        return $this;
    }
    ...
}

Summing up: Even though it looks weird in your logs it does not seem to be exploitable to me.

If you're interested, I've answered a similar question here.