1. Vulnerability Properties
Title: SQL Injection vulnerability in Advanced Newsletter Magento extension
CVE ID: CVE-2014-1634
CVSSv2 Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Vendor: aheadWorks (http://aheadworks.com/)
Products: Advanced Newsletter Magento Extension
Advisory Release Date: 20 September 2014
Advisory URL: http://labs.integrity.pt/advisories/cve-2014-1634/
Credits: Discovery by Cláudio André <ca[at]integrity.pt>
2. Vulnerability Summary
A remote unauthenticated attacker is able to execute arbitrary SQL commands via the the REST url parameter an_category_id in /advancednewsletter/index/subscribeajax/an_category_id/
3. Technical Details
The vulnerability can be confirmed by sending the following HTTP request:
GET /store/advancednewsletter/index/subscribeajax/an_category_id/0'%2bbenchmark(20000000%2csha1(1))%2b'/ HTTP/1.1
Host: www.example.com
In this example, the database backend is a MySQL DBMS, therefore the benchmark function is used to explore a time-based sql injection.
Exploiting this vulnerability could allow an attacker to compromise the application, access or modify data and even execute commands in the operating system, depending on the DBMS and configuration details.
4. Vulnerable Versions
Confirmed on version 2.3.4
5. Solution
Upgrade to version 2.3.5
6. Vulnerability Timeline
22 Jan 2014 – Vulnerability reported to vendor
23 Jan 2014 – Vendor requested more details
24 Jan 2014 – Vendor acknowledged vulnerability and released new version
© 2024 INTEGRITY S.A. All rights reserved. | Cookie Policy