Headline
CVE-2023-48925: [CVE-2023-48925] Improper neutralization of SQL parameter in Buy Addons - Product Video, Youtube, Vimeo Tab module for PrestaShop
SQL injection vulnerability in Buy Addons bavideotab before version 1.0.6, allows attackers to escalate privileges and obtain sensitive information via the component BaVideoTabSaveVideoModuleFrontController::run().
In the module “Product Video, Youtube, Vimeo Tab” (bavideotab) up to version 1.0.5 from Buy Addons for PrestaShop, a guest can perform SQL injection in affected versions.
Methods BaVideoTabSaveVideoModuleFrontController::run() and BaVideoTabConfirmDeleteModuleFrontController::run() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.
WARNING : This exploit is actively used to deploy a webskimmer to massively steal credit cards.
This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. You will only see “POST /” inside your conventional frontend logs. Activating the AuditEngine of mod_security (or similar) is the only way to get data to confirm this exploit.
--- 1.0.5/modules/bavideotab/controllers/front/confirmdelete.php
+++ 1.0.6/modules/bavideotab/controllers/front/confirmdelete.php
@@ -33,8 +33,8 @@ class BaVideoTabConfirmDeleteModuleFront
public function run()
{
$db = Db::getInstance(_PS_USE_SQL_SLAVE_);
- $id_product=Tools::getValue('id');
- $id_lang = Tools::getValue('id_lang');
+ $id_product = (int) Tools::getValue('id');
+ $id_lang = (int) Tools::getValue('id_lang');
$id_shop=($this->context->shop->id);
$sql="SELECT text_url FROM "._DB_PREFIX_."url_video WHERE id_product='".$id_product."'";
$sql .= "AND id_lang='".$id_lang."' AND id_store='".$id_shop."' AND type = 1 ";
--- 1.0.5/modules/bavideotab/controllers/front/savevideo.php
+++ 1.0.6/modules/bavideotab/controllers/front/savevideo.php
@@ -33,14 +33,14 @@ class BaVideoTabSaveVideoModuleFrontCont
$id_lang_default = Configuration::get('PS_LANG_DEFAULT');
$ob_lang_default = new Language($id_lang_default);
$name_lang_default = $ob_lang_default->name;
- $id_shop = Tools::getValue('id_shop');
+ $id_shop = (int) Tools::getValue('id_shop');
$name_shop = Tools::getValue('name_shop');
$db = Db::getInstance(_PS_USE_SQL_SLAVE_);
$url = $_SERVER['SCRIPT_FILENAME'];
$url = rtrim($url, 'index.php');
$languages = Language::getLanguages();
- $type_video = Tools::getValue('type_video');
- $id_product = Tools::getValue('id_product');
+ $type_video = (int) Tools::getValue('type_video');
+ $id_product = (int) Tools::getValue('id_product');
$sql = 'SELECT * FROM '._DB_PREFIX_.'product_lang WHERE id_product="'.$id_product.'"';
$show = $db->ExecuteS($sql);
@@ -91,7 +91,7 @@ class BaVideoTabSaveVideoModuleFrontCont
$sql = "INSERT INTO "._DB_PREFIX_."url_video ";
$sql .= "(id_video,id_product,id_lang,id_store,text_url,language,shop,name_product,type)";
$sql .= " VALUES ('','".$id_product."','".$id_lang_default."','".$id_shop."','";
- $sql .= "".$video_upload_default."','".$name_lang_default."','".$name_shop."','";
+ $sql .= "".$video_upload_default."','".$name_lang_default."','".pSQL($name_shop)."','";
$sql .= "".$name_product."','".$type_video."')";
$db->query($sql);
$url_save_video = _PS_ROOT_DIR_.'/media/'.$id_shop."/".$id_product."/";
@@ -102,7 +102,7 @@ class BaVideoTabSaveVideoModuleFrontCont
$sql = "INSERT INTO "._DB_PREFIX_."url_video ";
$sql .= "(id_video,id_product,id_lang,id_store,text_url,language,shop,name_product,type)";
$sql .= " VALUES ('','".$id_product."','".$value['id_lang']."','".$id_shop."','";
- $sql .= "".$video_upload_default."','".$value['name']."','".$name_shop."','";
+ $sql .= "".$video_upload_default."','".$value['name']."','".pSQL($name_shop)."','";
$sql .= "".$name_product."','".$type_video."')";
$db->query($sql);
$url_save_video = _PS_ROOT_DIR_.'/media/'.$id_shop."/".$id_product."/";
@@ -113,7 +113,7 @@ class BaVideoTabSaveVideoModuleFrontCont
$sql = "INSERT INTO "._DB_PREFIX_."url_video ";
$sql .= "(id_video,id_product,id_lang,id_store,text_url,language,shop,name_product,type)";
$sql .= " VALUES ('','".$id_product."','".$value['id_lang']."','".$id_shop."','";
- $sql .= "".$video_url."','".$value['name']."','".$name_shop."','";
+ $sql .= "".$video_url."','".$value['name']."','".pSQL($name_shop)."','";
$sql .= "".$name_product."','".$type_video."')";
$db->query($sql);
$url_save_video = _PS_ROOT_DIR_.'/media/'.$id_shop."/".$id_product."/";
@@ -160,7 +160,7 @@ class BaVideoTabSaveVideoModuleFrontCont
$sql = "REPLACE INTO "._DB_PREFIX_."url_video ";
$sql .= "(id_video,id_product,id_lang,id_store,text_url,language,shop,name_product,type)";
$sql .= " VALUES ('".$id_video."','".$id_product."','".$value['id_lang']."','";
- $sql .= "".$id_shop."','".$video_url."','".$value['name']."','".$name_shop."','";
+ $sql .= "".$id_shop."','".$video_url."','".$value['name']."','".pSQL($name_shop)."','";
$sql .= "".$name_product."','".$type_video."')";
$db->query($sql);
$url_save_video = _PS_ROOT_DIR_.'/media/'.$id_shop."/".$id_product."/";
@@ -195,7 +195,7 @@ class BaVideoTabSaveVideoModuleFrontCont
$sql .= "(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)";
$sql .= " VALUES ('".$id_video."','".$id_product."','".$id_shop."','";
$sql .= "".trim($name_url_array[$value_lang['id_lang']])."','".$value_lang['name']."','";
- $sql .= "".$name_shop."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
+ $sql .= "".pSQL($name_shop)."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
$db->query($sql);
$ok="3";
}
@@ -214,7 +214,7 @@ class BaVideoTabSaveVideoModuleFrontCont
$sql .= "(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)";
$sql .= " VALUES ('".$id_video."','".$id_product."','".$id_shop."','";
$sql .= "".trim($name_url_array[$value_lang['id_lang']])."','".$value_lang['name']."','";
- $sql .= "".$name_shop."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
+ $sql .= "".pSQL($name_shop)."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
$db->query($sql);
$ok="3";
} else {
@@ -230,7 +230,7 @@ class BaVideoTabSaveVideoModuleFrontCont
$sql .= "(id_video,id_product,id_store,text_url,language,shop,name_product,type,id_lang)";
$sql .= " VALUES ('".$id_video."','".$id_product."','".$id_shop."','";
$sql .= "".trim($name_url_array[$value_lang['id_lang']])."','".$value_lang['name']."','";
- $sql .= "".$name_shop."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
+ $sql .= "".pSQL($name_shop)."','".$name_product."','".$type_video."','".$value_lang['id_lang']."')";
$db->query($sql);
$ok="3";
}