[CVE-2023-26858] Improper neutralization of SQL parameter in faqs module for PrestaShop
In the module “Frequently Asked Questions (FAQ) page” (faqs) for PrestaShop, an atacker can perform SQL injection up to 3.1.5. Release 3.1.6 fixed this security issue.
Summary
- CVE ID: CVE-2023-26858
- Published at: 2023-03-28
- Advisory source: Friends-Of-Presta.org
- Platform: PrestaShop
- Product: faqs
- Impacted release: < 3.1.6
- Product author: MyPrestaModules
- Weakness: CWE-89
- Severity: critical (9.8)
Description
Before 3.1.6, a sensitive SQL calls in class faqsPost::getIdFaqsAssociatedToProductCategories() can be executed with a trivial http call and exploited to forge a blind SQL injection throught the POST or GET submitted variable id_category.
CVSS base metrics
- Attack vector: network
- Attack complexity: low
- Privilege required: none
- User interaction: none
- Scope: unchanged
- Confidentiality: high
- Integrity: high
- Availability: high
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Possible malicious usage
- Technical and personal data leaks
- Obtain admin access
- Remove all data of the linked PrestaShop
- Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem
Proof of concept
curl -v -X POST -d 'controller=category&id_category=1);SELECT+SLEEP(25);--' 'https://domain.tld'
Patch
--- a/faqs/classes/faqsPost.php
+++ b/faqs/classes/faqsPost.php
@@ -480,7 +480,7 @@ class faqsPost extends ObjectModel
*/
public static function getIdFaqsAssociatedToProductCategories($productCategoriesIds)
{
- $productCategoriesIds = implode(',', $productCategoriesIds);
+ $productCategoriesIds = implode(',', array_map('intval', explode(',',$productCategoriesIds)));
$sql = 'SELECT ac.id_faq
FROM ' . _DB_PREFIX_ . 'faq_association_category ac
Other recommandations
- It’s recommended to upgrade the module beyond 3.1.6.
- Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”)
- Change the default database prefix ps_ by a new longer arbitrary prefix. Nethertheless, be warned that this is useless against blackhat with DBA senior skill because of a design vulnerability in DBMS
- Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.
Timeline
| Date | Action |
|---|---|
| 2022-12-02 | Contact the author |
| 2022-12-12 | Fix published on addons PrestaShop marketplace by the author |
| 2023-02-12 | Request a CVE ID |
| 2023-03-17 | Propose a delay to PrestaShop addons security team before disclosing the CVE |
| 2023-03-28 | Publish this security advisory |