Headline
CVE-2022-31181: Merge pull request from GHSA-hrgx-p36p-89q4 · PrestaShop/PrestaShop@b6d96e7
PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP’s Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised to upgrade. Users unable to upgrade may delete the MySQL Smarty cache feature.
@@ -25,6 +25,14 @@
*/
class Smarty_CacheResource_Mysql extends Smarty_CacheResource_Custom
{
/** @var PhpEncryption */
private $phpEncryption;
public function __construct()
{
$this->phpEncryption = new PhpEncryption(_NEW_COOKIE_KEY_);
}
/**
* fetch cached content and its modification time from data source.
*
@@ -39,7 +47,7 @@ protected function fetch($id, $name, $cache_id, $compile_id, &$content, &$mtime)
{
$row = Db::getInstance()->getRow('SELECT modified, content FROM ' . _DB_PREFIX_ . ‘smarty_cache WHERE id_smarty_cache = "’ . pSQL($id, true) . ‘"’);
if ($row) {
$content = $row[‘content’];
$content = $this->phpEncryption->decrypt($row[‘content’]);
$mtime = strtotime($row[‘modified’]);
} else {
$content = null;
@@ -87,7 +95,7 @@ protected function save($id, $name, $cache_id, $compile_id, $exp_time, $content)
"’ . pSQL($id, true) . '",
"’ . pSQL(sha1($name)) . '",
"’ . pSQL($cache_id, true) . '",
“’ . pSQL($content, true) . '”
“’ . $this->phpEncryption->encrypt($content) . '”
)');
return (bool) Db::getInstance()->Affected_Rows();
Related news
### Impact Eval injection possible if the shop is vulnerable to an SQL injection. ### Patches The problem is fixed in version 1.7.8.7 ### Workarounds Delete the MySQL Smarty cache feature by removing these lines in the file `config/smarty.config.inc.php` lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6): ```php if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') { include _PS_CLASS_DIR_.'Smarty/SmartyCacheResourceMysql.php'; $smarty->caching_type = 'mysql'; } ```