Headline

CVE-2023-30191: [CVE-2023-30191] Improper neutralization of SQL parameter in CDesigner module for PrestaShop

PrestaShop cdesigner < 3.1.9 is vulnerable to SQL Injection via CdesignerTraitementModuleFrontController::initContent().

1 year ago

CVE

Open in Source

#sql #vulnerability #web #php #auth

In the module “CDesigner” (cdesigner), a guest can perform SQL injection in affected versions.

Summary

CVE ID: CVE-2023-30191
Published at: 2023-05-17
Platform: PrestaShop
Product: cdesigner
Impacted release: <= 3.2.2 (3.2.3 fixed the vulnerability - WARNING : NO SEMVER VERSIONNING - SEE NOTE BELOW)
Product author: Prestaeg
Weakness: CWE-89
Severity: critical (9.8)

Description

The method CdesignerTraitementModuleFrontController::initContent() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

Note : The author do not follow a conventionnal semver versionning, since each branch of each PS major version follow its own version’s logic. For one Prestashop major version, vulnerability has been fixed since months but for others PS major version it’s still vulnerable.

This will cause confusion for the ecosystem so we defined the “impacted release” as a “safe version” for “all major PS versions”.

WARNING : This exploit is actively used to deploy webskimmer to massively stole credit cards.

CVSS base metrics

Attack vector: network
Attack complexity: low
Privilege required: none
User interaction: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

Obtain admin access
Steal/Remove data on the associated PrestaShop
Copy/past datas from sensibles tables to FRONT to exposed tokens and unlock admins’s ajax scripts
Rewrite SMTP settings to hijacked emails

Proof of concept

curl -v -X POST -d 'state=8&id_input=1&id_output=1&id_design=1%27;select(sleep(10));' 'https://preprod.XXX/?fc=module&module=cdesigner&controller=traitement'

Patch from 3.1.8

--- 3.1.8/cdesigner/controllers/front/traitement.php
+++ 3.2.3/cdesigner/controllers/front/traitement.php
...
                else if ($state == 8)
        {
-                       $id_design = $_POST['id_design'];
+                       $id_design = pSQL($_POST['id_design']);
            Db::getInstance(_PS_USE_SQL_SLAVE_)->executeS("
                DELETE FROM "._DB_PREFIX_."cdesigner_user_design
                WHERE `id_design` = '". $id_design ."'"

Other recommandations

It’s recommended to upgrade to the latest version of the module cdesigner.
Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”)
Change the default database prefix ps_ by a new longer arbitrary prefix. Nethertheless, be warned that this is useless against blackhat with DBA senior skill because of a design vulnerability in DBMS
Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules. *Timeline

Date

Action

Q3 2022

Issue discovered after security audit by TouchWeb.fr

Q4 2022

Contact author

Q4 2022

Author provide a patch

2023-03-04

Contact PrestaShop Addons security Team to confirm versions scope by author

2023-03-25

Request a CVE ID