PRODSECBUG-2198 is a SQL injection vulnerability that attackers can exploit with no authentication required. Attack code was published on Friday that exploits a critical vulnerability in the Magento e-commerce platform.

PRODSECBUG-2198 is a SQL injection vulnerability that attackers can exploit with no authentication required. Hackers could exploit the flaw to take administrative control of administrator accounts, assuming the hackers can download user names and password hashes and crack the hashes. From there, attackers could install the backdoors or skimming code of their choice. A researcher at Web security firm Sucuri said Thursday that company researchers reverse-engineered an official patch released Tuesday and successfully created a working proof-of-concept exploit.

“There is no doubt threat actors are either actively reversing the patch or waiting for a proof of concept to exploit this flaw at scale,” Jérôme Segura, lead malware intelligence analyst at Malwarebytes, told on Thursday. “When it comes to hacked Magento websites, Web skimmers are the most common infection type we see because of their high return on investment. As a result, we can expect another wave of compromises in light of this newly found critical vulnerability.”

On Friday, a proof-of-concept exploit was published here. Comments in the code say it “can easily be modified to obtain other stuff from the [database], for instance admin/user password hashes.” It also says the underlying vulnerability has resided in Magento since version 1. That means virtually all Magento sites that haven’t installed the patch are susceptible. A separate technical writeup here, also published Friday, provides additional exploit details, along with the disclosure timeline.

PRODSECBUG-2198 is one of more than three dozen security bugs Magento developers disclosed and fixed on Tuesday. It affects the following versions:

  • Magento Commerce < 1.14.4.1
  • Magento Open Source < 1.9.4.1
  • Magento < 2.1.17
  • Magento < 2.2.8
  • Magento < 2.3.1

Sites that want to quickly protect themselves from this vulnerability only can install a stand-alone patch. Many of the other flaws also pose a threat, but because they generally require a hacker to be authenticated, they aren’t considered as severe. To be fully protected against all vulnerabilities, sites will have to upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8

In an emailed statement, Magento officials wrote: “As the majority of exploits tend to target software installations that are not up-to-date with the latest security updates, we always strongly recommend that users install security updates as soon as they are available. More information can be found here: https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update.”

Montpas said Magento site administrators can check to see if their site has been targeted in 2198 exploits by checking the access_log file for multiple hits to the following path:

/catalog/product/frontend_action_synchronize

A small number of hits to that path may indicate a legitimate request, but more than a couple dozen hits from the same IP address in a few minutes should be considered suspicious.