The module Jms Blog (jmsblog) from Joommasters contains a Blind SQL injection vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joo masters PrestaShop themes

Summary

  • CVE ID: CVE-2023-27034
  • Published at: 2023-03-13
  • Advisory source: Friends-Of-Presta
  • Platform: PrestaShop
  • Product: jmsblog
  • Impacted release: at least 2.5.5 and 2.5.6
  • Product author: Joommasters
  • Weakness: CWE-89
  • Severity: critical (9.8)

Description

Several front controller in /controllers/front/ hold sensitives SQL calls that can be executed with a trivial http call and exploited to forge a blind SQL injection.

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: none
  • User interaction: none
  • Scope: unchanged
  • Confidentiality: high
  • Integrity: high
  • Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

  • Technical and personal data leaks
  • Obtain admin access
  • Remove all data of the linked PrestaShop
  • Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

Patch

--- a/controllers/front/archive.php
+++ b/controllers/front/archive.php
@@ -55,1 +55,1 @@ function getPosts
-            ' AND DATE_FORMAT(hss.created,"%Y-%m") LIKE "%'.$_month.'%"
+            ' AND DATE_FORMAT(hss.created,"%Y-%m") LIKE "%'.pSQL($_month).'%"
--- a/controllers/front/post.php
+++ b/controllers/front/post.php
@@ -85,1 +85,1 @@ function getPosts
-                WHERE pc.`email` = \''.$email.'\'
+                WHERE pc.`email` = \''.pSQL($email).'\'
--- a/controllers/front/tag.php
+++ b/controllers/front/tag.php
@@ -53,1 +53,1 @@ function getPosts
-            ' AND hssl.`tags` LIKE "%'.$tag.'%"
+            ' AND hssl.`tags` LIKE "%'.pSQL($tag).'%"

Timeline

Date Action
2022-09-01 Issue discovered during a pentest
2023-02-17 Contact the author
2023-03-13 Publish this security advisory
2023-03-16 CVE ID affected

Other recommandations

  • Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”)
  • Change the default database prefix ps_ by a new longer arbitrary prefix. Nethertheless, be warned that this is useless against blackhat with DBA senior skill because of a design vulnerability in DBMS
  • Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.