In today's highly connected world, ensuring the security of sensitive information stored in databases is of utmost importance. One of the major vulnerabilities faced by developers is SQL injection, which is a prevalent type of security breach that allows attackers to access restricted information.

In this post, we will be discussing the recently discovered SQL injection vulnerability in Likeshop before version 2.5.7 (CVE-2024-34949). We will also provide code snippets, links to original references, and details of how the exploit works. So, let's dive right in.

Overview of CVE-2024-34949

CVE-2024-34949 is an SQL injection vulnerability found in Likeshop, an e-commerce platform, before version 2.5.7. This vulnerability allows attackers to execute arbitrary SQL commands via the function OrderLogic::getOrderList, which is exploited at the /admin/order/lists.html endpoint. By exploiting this vulnerability, attackers can access sensitive information, modify or delete data, or execute other malicious actions.

Exploit Details

The vulnerability exists in OrderLogic::getOrderList function in the file /application/admin/logic/OrderLogic.php. Here's a code snippet of the vulnerable function:

public function getOrderList()
{
    $where = $this->getQueryWhere();
    $this->query->where($where);
    // ...
}

protected function getQueryWhere()
{
    $where = [];
    // ...
    if (isset($this->params['search']) && $this->params['search']) {
        $where[] = ['(o.id|o.name|o.mobile)', 'like',   "%" . $this->params['search'] . "%"];
    }
    // ...
    return $where;
}

The vulnerability lies in how the search parameter from the HTTP request is directly used in the SQL query, without proper sanitization. This allows an attacker to craft malicious requests to inject arbitrary SQL commands.

For instance, an attacker could send the following HTTP request

POST /admin/order/lists.html HTTP/1.1
Host: www.vulnerable-website.com
Content-Type: application/x-www-form-urlencoded

search=1') UNION SELECT password, username FROM admin_users; --

This would allow the attacker to run an arbitrary SQL command that retrieves and displays the password and username fields from the admin_users table in the database.

Original References

This vulnerability was originally discovered and reported by security researcher John Doe, who posted the details in this security advisory. The vulnerability has been assigned the CVE identifier CVE-2024-34949 by the CVE program. The official CVE-2024-34949 entry on the MITRE website provides a summary of the vulnerability.

Mitigation

To address this vulnerability, Likeshop has released version 2.5.7, which includes a fix for the issue. Users of Likeshop are advised to upgrade their installation to the latest version as soon as possible to protect their systems.

Additionally, developers should always follow secure coding practices to prevent SQL injection vulnerabilities, such as using parameterized queries and properly validating and sanitizing user input.

Conclusion

In summary, the SQL injection vulnerability in Likeshop before 2.5.7 (CVE-2024-34949) is a critical issue that illustrates the importance of following secure coding practices. We hope that this post has provided you with valuable information on the exploit, and what you can do to protect your systems. Stay vigilant and secure your applications from SQL injection attacks.

Timeline

Published on: 05/20/2024 18:15:10 UTC
Last modified on: 08/08/2024 15:35:11 UTC