Among these, SQL injection bugs were one of the most critical ones as this doesn't need any authentication. It can be exploited without any form of privilege or authentication to the attacker. On the advisory mentioned by the Magento team, affected versions are 2.1 prior to 2.1.17, 2.2 prior to 2.2.8, and 2.3 prior to 2.3.1.
This Unauthenticated SQL injection vulnerability was found by the security firm, Ambionics which had also published all the technical detail of the bug. On the post, they mentioned that they have found two critical vulnerabilities were one of them is unauthenticated SQL injection.
SQL Injections allow an attacker to manipulate site arguments to inject their own commands to an SQL database (Oracle, MySQL, MariaDB, MSSQL). Through this vulnerability, they can retrieve sensitive data from an affected site’s database, including usernames and password hashes.
Ambionics have reported the issue to Magento team via BugCrowd platform. Furthermore, they have also mentioned the patch for the bug which can be done by the site admin (if an update is not made). To patch the SQL injection browse to File: vendor/magento/framework/DB/Adapter/Pdo/Mysql.php Line: 2907, and make the following changes.
- $query = $this->_prepareQuotedSqlCondition($query . $conditionKeyMap['to'], $to, $fieldName);
+ $query = $query . $this->_prepareQuotedSqlCondition($conditionKeyMap['to'], $to, $fieldName);
Moreover, Ambionics have also published the exploit code for this bug on GitHub and can be found here.
The SQL vulnerability is very easy to exploit, and we encourage every Magento site owner to update to these recently patched versions to protect their e-commerce websites. Unauthenticated attacks, like the one seen in this particular SQL Injection vulnerability, are very serious because they can be automate.