CVE-2014-1634 - SQL Injection in Advanced Newsletter Magento extension

1. Vulnerability Properties

Title: SQL Injection vulnerability in Advanced Newsletter Magento extension

CVE ID: CVE-2014-1634

CVSSv2 Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Vendor: aheadWorks (http://aheadworks.com/)

Products: Advanced Newsletter Magento Extension

Advisory Release Date: 20 September 2014

Advisory URL: http://labs.integrity.pt/advisories/cve-2014-1634/

Credits: Discovery by Cláudio André <ca[at]integrity.pt>

2. Vulnerability Summary

A remote unauthenticated attacker is able to execute arbitrary SQL commands via the the REST url parameter an_category_id in /advancednewsletter/index/subscribeajax/an_category_id/

3. Technical Details

The vulnerability can be confirmed by sending the following HTTP request:

GET /store/advancednewsletter/index/subscribeajax/an_category_id/0'%2bbenchmark(20000000%2csha1(1))%2b'/ HTTP/1.1
Host: www.example.com

In this example, the database backend is a MySQL DBMS, therefore the benchmark function is used to explore a time-based sql injection.
Exploiting this vulnerability could allow an attacker to compromise the application, access or modify data and even execute commands in the operating system, depending on the DBMS and configuration details.

4. Vulnerable Versions

Confirmed on version 2.3.4

5. Solution

Upgrade to version 2.3.5

6. Vulnerability Timeline

22 Jan 2014 – Vulnerability reported to vendor
23 Jan 2014 – Vendor requested more details
24 Jan 2014 – Vendor acknowledged vulnerability and released new version