Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-31672: [CVE-2023-31672] Improper neutralization of an SQL parameter in ailinear module for PrestaShop

In the PrestaShop < 2.4.3 module “Length, weight or volume sell” (ailinear) there is a SQL injection vulnerability.

CVE
Open in Source
#sql#vulnerability#web#php#auth

In the module “Length, weight or volume sell” (ailinear) for PrestaShop, an attacker can perform SQL injection up to 2.4.3. Release 2.4.3 fixed this security issue.

Summary

  • CVE ID: CVE-2023-31672
  • Published at: 2023-06-15
  • Advisory source: Friends-Of-Presta.org
  • Platform: PrestaShop
  • Product: ailinear
  • Impacted release: < 2.4.3 (2.4.3 fixed the vulnerability)
  • Product author: ai-dev
  • Weakness: CWE-89
  • Severity: critical (9.8)

Description

Up to 2.4.3, a sensitive SQL call in file includes/ajax.php can be executed with a trivial http call and exploited to forge a blind SQL injection throught the POST or GET submitted others and more variables.

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: low
  • User interaction: none
  • Scope: unchanged
  • Confidentiality: high
  • Integrity: high
  • Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

  • Obtain admin access
  • Remove data on the associated PrestaShop
  • Copy/paste data from sensitive tables to FRONT to exposed tokens and unlock admins’s ajax scripts
  • Rewrite SMTP settings to hijacked emails

Patch

--- a/ailinear/includes/ajax.php
+++ b/ailinear/includes/ajax.php
@@ -346,17 +346,23 @@ if (Tools::getIsset('action')) {
     $request_value = Tools::getIsset('value') ? Tools::getValue('value') : 0;
     $request_product = (int)Tools::getValue('product');
     $request_more = Tools::getValue('more');
-    $request_others = Tools::getValue('others');
+    $request_others = (int)Tools::getValue('others');
     $request_quantity = (int)Tools::getValue('qty');
 
     /* Test if base combination exists */
     if ($request_more != '') {
-        $more = explode('_', $request_more);
+        $more_attributes = explode('_', $request_more);
+        $more_attributes = array_map('intval', $more_attributes);
+        foreach ($more_attributes as $key => $attr) {
+            if (!$attr) {
+                unset($more_attributes[$key]);
+            }
+        }
         
         /* Get the id_product_attribute (the first is the default one)*/
         $result = DB::getInstance()->ExecuteS(
             'SELECT COUNT(id_product_attribute) as number, id_product_attribute FROM '._DB_PREFIX_.'product_attribute_combination WHERE id_product_attribute IN (SELECT id_product_attribute FROM '._DB_PREFIX_.'product_attribute WHERE '.
-            'id_product = '.$request_product.') AND id_attribute IN ('.implode(', ', $more).') GROUP BY id_product_attribute HAVING number = '.count($more).' ORDER BY id_product_attribute ASC'
+            'id_product = '.$request_product.') AND id_attribute IN ('.implode(', ', $more_attributes).') GROUP BY id_product_attribute HAVING number = '.count($more_attributes).' ORDER BY id_product_attribute ASC'
         );
         
         /* Get the attributes values and lang for the product */
@@ -364,6 +370,8 @@ if (Tools::getIsset('action')) {
             die('Unknown');
         }
     } else {
+        $more_attributes = array();
+        
         /* Get the id_product_attribute (the first is the default one)*/
         $result = DB::getInstance()->ExecuteS('SELECT COUNT(id_product_attribute) as number, id_product_attribute FROM '._DB_PREFIX_.'product_attribute WHERE id_product = '.$request_product.' ORDER BY id_product_attribute ASC');
     }
@@ -373,13 +381,6 @@ if (Tools::getIsset('action')) {
         $return = 'Message->'.$module->l('Message for delayed preparation', 'ajax').'|';
     }
 
-    /* Get attributes */
-    if ($request_more != '') {
-        $more_attributes = explode('_', $request_more);
-    } else {
-        $more_attributes = array();
-    }
-
     /* Get price changes */
     $more_attributes_price = 0;
     if (count($more_attributes)) {

Other recommendations

  • Upgrade PrestaShop to the latest version to disable multiquery execution (separated by “;”)
  • Change the default database prefix ps_ by a new longer arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skilled because of a design vulnerability in DBMS
  • Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

Timeline

Date

Action

2023-03-08

Vunlnerability found during a audit by 202 ecommerce

2023-03-08

Contact the author

2023-03-08

The author confirm the issue and supply a fixed release

2023-04-23

Request a CVE ID

2023-06-15

Publication of this advisory

Links

  • Author product page
  • National Vulnerability Database

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE