[CVE-2023-26860] Improper neutralization of SQL parameter in lgbudget module for PrestaShop

In the module “Save your carts and buy later” (lgbudget) for PrestaShop, an authenticated user can perform a blind SQL injection up to 1.0.3. Release 1.0.4 fixed this security issue.

Summary

• CVE ID: CVE-2023-26860
• Published at: 2023-04-04
• Advisory source: Friends-Of-Presta.org
• Platform: PrestaShop
• Product: lgbudget
• Impacted release: < 1.0.4
• Product author: Línea Gráfica
• Weakness: CWE-89
• Severity: critical (9.8)

Description

Up to 1.0.3, a sensitive SQL call in class LgBudgetBudgetModuleFrontController::displayAjaxGenerateBudget() can be exploited with a trivial http call to forge a blind SQL injection throught the POST or GET submitted “name” variable.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Technical and personal data leaks
• Obtain admin access
• Remove all data of the linked PrestaShop
• Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

Proof of concept

curl -v --cookie-jar cookie.txt -X POST -d 'token=<predictible_token>&id_product=123&qty=1&add=1&action=update' 'https://domain.tld/cart'
&& curl -v --cookie cookie.txt 'https://domain.tld/module/lgbudget/budget?ajax=1&action=generateBudget&name=test%22,%20%222022-01-01%22%20%29%3BSELECT%20SLEEP%2825%29%3B--'

Patch

To fix this issue, in file controllers/front/budget.php line 42, you need to escape $name in LgBudgetBudgetModuleFrontController::displayAjaxGenerateBudget().

--- v1.0.3/lgbudget/controllers/front/budget.php
+++ v1.0.4/lgbudget/controllers/front/budget.php
@@ -39,7 +49,7 @@ class LgBudgetBudgetModuleFrontControlle
                     "' . Context::getContext()->cookie->checksum .'",
                     ' . (int)$id_shop . ', 
                     ' . (int)$id_customer . ', 
-                    "' . $name . '", 
+                    "' . pSQL($name) . '", 
                     "' . $date_add . '"
                 )';

Other recommandations

• It’s recommended to upgrade the module beyond 1.0.3. Release 1.0.4 fixed this security issue.
• Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”)
• Change the default database prefix ps_ by a new longer arbitrary prefix. Nethertheless, be warned that this is useless against blackhat with DBA senior skill because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

Timeline

Date	Action
2023-02-10	Vulnerability discovered by 202 ecommerce during a security audit
2023-02-10	Contact PrestaShop addons
2023-02-12	Request a CVE ID
2023-03-02	Fix published on addons PrestaShop marketplace
2023-03-17	Propose a delay to PrestaShop addons before disclosure
2023-03-27	PrestaShop addons confirm the CVE can be published
2023-04-04	Publication of the security advisory

Links

• PrestaShop addons product page
• National Vulnerability Database