Add to Compare: is there known exploitation?
-
09-10-2020 - |
Domanda
Last week, one of my site received a bruteforce attack. When I check log/reports
, I see this in my report:
a:5:{i:0;s:313:"SQLSTATE[23000]: Integrity constraint violation: 1452 Cannot add or update a child row: a foreign key constraint fails (
DB_Name
.catalog_compare_item
, CONSTRAINTFK_CAT_CMP_ITEM_PRD_ID_CAT_PRD_ENTT_ENTT_ID
FOREIGN KEY (product_id
) REFERENCEScatalog_product_entity
(entity_id
) ON DELETE CA)";i:1;s:2627:"#0 /lib/Varien/Db/Statement/Pdo/Mysql.php(110): Zend_Db_Statement_Pdo->_execute(Array){main}";s:3:"url";s:451:"/catalog/product_compare/index/items/495,543,1957,1960,1963,2192,2195,2593,2643,5656,5659,5663,5667,5670,6913,6914,6915,6916,6917,6918,6919,6920,6964,6965,6966,6967,6968,6969,6970,6971,6975,6978,6979,6980,6986,8319,9386,9397,9467,9470,9473,9476,9895,..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afetc/passwd/uenc/aHR0cHM6Ly93d3cuZGlnaXRhbGNpbmVtYS5jb20uYXUvY2xlYXJhbmNlP3Bvd2VyX2FtcF9zcGVha2VyX2NoYW5uZWw9MzAxJmFtcDtwcmljZT0xNTAwLQ,,/";s:11:"script_name";s:10:"/index.php";s:4:"skin";s:7:"default";}
Interestingly, these lines are different for each report:
/%5c../%5c../%5c../%5c../%5c../%5c../%5c../etc/passwd/uenc/
..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afetc/passwd/uenc
Are there any known vulnerability in compare function? How can we deal with this?
Soluzione
The indexAction
of the Product Compare Controller does an $items = explode(',', $items);
on all the items sent via URL.
This means ,..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afetc/passwd
would be treated as one of the items.
These items are added to the catalog/product_compare_list
where in the items of $items
are treated as product id's.
class Mage_Catalog_Model_Product_Compare_List extends Varien_Object
{
/**
* Add product to Compare List
*
* @param int|Mage_Catalog_Model_Product $product
* @return Mage_Catalog_Model_Product_Compare_List
*/
public function addProduct($product)
{
/* @var $item Mage_Catalog_Model_Product_Compare_Item */
$item = Mage::getModel('catalog/product_compare_item');
$this->_addVisitorToItem($item);
$item->loadByProduct($product);
if (!$item->getId()) {
$item->addProductData($product);
$item->save();
}
return $this;
}
/**
* Add products to compare list
*
* @param array $productIds
* @return Mage_Catalog_Model_Product_Compare_List
*/
public function addProducts($productIds)
{
if (is_array($productIds)) {
foreach ($productIds as $productId) {
$this->addProduct($productId);
}
}
return $this;
}
...
}
Summing up: Even though it looks weird in your logs it does not seem to be exploitable to me.
If you're interested, I've answered a similar question here.