Headline
CVE-2023-39675: SQLi in SimpleImportProduct Prestashop Module CVE-2023-39675
SimpleImportProduct Prestashop Module v6.2.9 was discovered to contain a SQL injection vulnerability via the key parameter at send.php.
This blog post details an SQL Injection we found within SimpleImportProduct, a Prestashop module developed by MyPrestaModules. In modules/simpleimportproduct/send.php there is the following code:
if ( Tools::getValue('remove') == true){
$key = Tools::getValue('key');
$key = pSQL($key);
Db::getInstance()->delete('simpleimport_tasks', "import_settings=$key");
This is vulnerable to SQL injection which allows an attacker to extract data from the database.
The key parameter does get sanitized by pSQL() but when it’s put in the query it’s not surrounded by quotes so an attacker can still manipulate the query. This is a similar situation to an SQLi I found in a different Prestashop module.
Adding quotes around the key would be sufficient to patch this SQLi:
Db::getInstance()->delete('simpleimport_tasks', "import_settings='$key'");
Proof of Concept
To test this we used SQLmap on a local Prestashop install. Care should be taken when testing for this as it is within a DELETE SQL query and can result in records getting deleted. SQLMap command:
sqlmap -u "http://localhost:8080/modules/simpleimportproduct/send.php?ajax=true&remove=true&key=1*" --threads=10 --random-agent --dbms=mysql --level=5 --risk=3 --tables
It’s a “blind” SQLi as it doesnt affect the contents of the page so information is extracted using SLEEP() to change the time it takes to respond.
Timeline
Date
Action
10/07/2023
Issue discovered during a pentest
12/07/2023
Reported issue to MyPrestaModules
29/07/2023
Requested CVE from MITRE
??/08/2023
Patch released
28/08/2023
Number CVE-2023-39675 assigned
07/09/2023
Blog post released