Headline
CVE-2023-27034: Blind SQL injection vulnerability in Jms Blog (jmsblog) PrestaShop module
PrestaShop jmsblog 2.5.5 was discovered to contain a SQL injection vulnerability.
The module Jms Blog (jmsblog) from Joommasters contains a Blind SQL injection vulnerability. This module is for the PrestaShop e-commerce platform and mainly provided with joo masters PrestaShop themes
Summary
- CVE ID: CVE-2023-27034
- Published at: 2023-03-13
- Advisory source: none
- Vendor: PrestaShop
- Product: jmsblog
- Impacted release: at least 2.5.5 and 2.5.6
- Product author: Joommasters
- Weakness: CWE-89
- Severity: critical (9.8)
Description
Several front controller in /controllers/front/ hold sensitives SQL calls that can be executed with a trivial http call and exploited to forge a blind SQL injection.
CVSS base metrics
- Attack vector: network
- Attack complexity: low
- Privilege required: none
- User interaction: none
- Scope: unchanged
- Confidentiality: high
- Integrity: high
- Availability: high
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Possible malicious usage
- Technical and personal data leaks
- Obtain admin access
- Remove all data of the linked PrestaShop
- Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem
Patch
--- a/controllers/front/archive.php
+++ b/controllers/front/archive.php
@@ -55,1 +55,1 @@ function getPosts
- ' AND DATE_FORMAT(hss.created,"%Y-%m") LIKE "%'.$_month.'%"
+ ' AND DATE_FORMAT(hss.created,"%Y-%m") LIKE "%'.pSQL($_month).'%"
--- a/controllers/front/post.php
+++ b/controllers/front/post.php
@@ -85,1 +85,1 @@ function getPosts
- WHERE pc.`email` = \''.$email.'\'
+ WHERE pc.`email` = \''.pSQL($email).'\'
--- a/controllers/front/tag.php
+++ b/controllers/front/tag.php
@@ -53,1 +53,1 @@ function getPosts
- ' AND hssl.`tags` LIKE "%'.$tag.'%"
+ ' AND hssl.`tags` LIKE "%'.pSQL($tag).'%"
Timeline
Date
Action
2022-09-01
Issue discovered during a pentest
2023-02-17
Contact the author
2023-03-13
Publish this security advisory
2023-03-16
CVE ID affected
Other recommandations
- Upgrade PrestaShop beyond 1.7.8.8 (and 8.0.1) to disable multiquery executions (separated by “;”).
- Change the default database prefix ps_ by a new longer arbitrary prefix. Nethertheless, be warned that this is useless against blackhat with DBA senior skill because of a design vulnerability in DBMS
- Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.
Links
- Joom masters web site
- National Vulnerability Database