Recently I was asked to look into a potential PCI compliance issue in Magento 1.7/1.8/1.9. The potential issue was uncovered by ControlScan. The summary was as follows:
Integer based SQL injection vulnerability in product parameter to /checkout/cart/add/uenc/<snip>,/product/<id>/ Risk: High (3) Port: 80/tcp Protocol: tcp Threat ID: web_prog_sql_integer
Upon diving into the additional supplied information, it was almost immediately clear what the test was doing. It was performing a POST request against the URL: /checkout/cart/add/uenc/<snip>,/product/XYZ/
XYZ translates to a valid Magento product id. In the payload (POST’d multipart/form-data) that would get parsed into the PHP $_POST superglobal, an initial request passed product=XYZ, and a subsequent request passed product=XYZ-2.
The scan saw the same output returned for each request, and thus assumed the cart might be getting “duped” by the invalid XYZ-2.
Let’s take a look at the code which handles this submission (which is an AJAX style action that adds a product to the cart). It is located in app/code/core/Mage/Checkout/controllers/CartController.php, starting around line 170, in the addAction public method. The take-away here is the $params variable setup in addAction, as well as the product id discovery in _initProduct both retrieve their data by calling $this->getRequest()->getParams(); — this parameter data comes from any number of places, including the URL, GET, or POST. In this instance, the product variable is being parsed out of the URL, and the product supplied via POST is never referenced. No wonder the output was the same, the URL was the same in both cases, the modified POST data was never a factor.
If you simply want to tighten up your cart to get it to pass your PCI compliance scan, the following code will do that for you, just replace the top part of addAction with the following, and be prepared for an eventual upgrade to undo this patch.
public function addAction() { $cart = $this->_getCart(); $params = $this->getRequest()->getParams(); $postInput = file_get_contents("php://input"); $postStrDataArr = explode("\n", $postInput); $postStrData = array_pop($postStrDataArr); parse_str($postStrData, $postData); if ((isset($postData['product']) && $postData['product'] != $params['product']) || !is_numeric($params['product'])) throw new Exception('Invalid Product ID'); try {
This modification compares the parameter parsed via the URL with the parameter passed via POST and throws an Exception if the two do not match.
No doubt there is a better and more Magento-esque way to remedy this issue, but the above will work in a pinch.
Does Magento cost much to run? I use WooCommerce myself, but they have really annoyed me lately. I recently got hit with a $10k bill for a few plugins I own (without warning). They have increased their prices by 50 on all annual subscription renewals – without explaining anything to their customers! Seems pretty odd. But nevertheless, I am looking to jump ship and not sure which shopping cart system to use for our site.
Just like WooCommerce, Magento is open source with a thriving community built around it providing professional services as well as paid access to plugins/support. The cost to run each platform is largely dependent on your ability to wade into the code to fix problems yourself, write your own plugins to accomplish certain tasks instead of paying for them, etc. The platforms themselves and many of the plugins and services are a bargain, for both platforms, it just takes a bit of skillful navigation either way.