In the module “Frequently Asked Questions (FAQ) page” (faqs) for PrestaShop, an attacker can perform SQL injection up to 3.1.5. Release 3.1.6 fixed this security issue.

Summary

  • CVE ID: CVE-2023-26858
  • Published at: 2023-03-28
  • Advisory source: Friends-Of-Presta.org
  • Platform: PrestaShop
  • Product: faqs
  • Impacted release: < 3.1.6
  • Product author: MyPrestaModules
  • Weakness: CWE-89
  • Severity: critical (9.8)

Description

Before 3.1.6, a sensitive SQL call in class faqsPost::getIdFaqsAssociatedToProductCategories() can be executed with a trivial http call and exploited to forge a blind SQL injection throught the POST or GET submitted variable id_category.

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: none
  • User interaction: none
  • Scope: unchanged
  • Confidentiality: high
  • Integrity: high
  • Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

  • Technical and personal data leaks
  • Obtain admin access
  • Remove all data of the linked PrestaShop
  • Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

Proof of concept

curl -v -X POST -d 'controller=category&id_category=1);SELECT+SLEEP(25);--' 'https://domain.tld'

Patch

--- a/faqs/classes/faqsPost.php
+++ b/faqs/classes/faqsPost.php
@@ -480,7 +480,7 @@ class faqsPost extends ObjectModel
    */
   public static function getIdFaqsAssociatedToProductCategories($productCategoriesIds)
   {
-    $productCategoriesIds = implode(',', $productCategoriesIds);
+    $productCategoriesIds = implode(',', array_map('intval', explode(',',$productCategoriesIds)));
 
     $sql = 'SELECT ac.id_faq
             FROM ' . _DB_PREFIX_ . 'faq_association_category ac

Other recommandations

  • It’s recommended to upgrade the module beyond 3.1.6.
  • Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”)
  • Change the default database prefix ps_ by a new longer arbitrary prefix. Nethertheless, be warned that this is useless against blackhat with DBA senior skill because of a design vulnerability in DBMS
  • Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

Timeline

Date Action
2022-12-02 Contact the author
2022-12-12 Fix published on addons PrestaShop marketplace by the author
2023-02-12 Request a CVE ID
2023-03-17 Propose a delay to PrestaShop addons security team before disclosing the CVE
2023-03-28 Publish this security advisory