Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-23315: [CVE-2023-23315] Improper neutralization of an SQL parameter in stripejs module for PrestaShop

The PrestaShop e-commerce platform module stripejs contains a Blind SQL injection vulnerability up to version 4.5.5. The method stripejsValidationModuleFrontController::initContent() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

CVE
Open in Source
#sql#vulnerability#web#js#php#auth

The PrestaShop e-commerce platform module “Stripe Payment Pro (SCA-ready)” aka stripejs (*) contains a Blind SQL injection vulnerability up to version 4.5.5. Release 4.5.5 fixed the vulnerability.

Summary

  • CVE ID: CVE-2023-23315
  • Published at: 2023-03-01
  • Advisory source: Friends-of-presta.org
  • Vendor: PrestaShop
  • Product: stripejs (*)
  • Impacted release: < 4.5.5 (4.5.5 fixed the vulnerability)
  • Product author: NTS
  • Weakness: CWE-89
  • Severity: critical (9.8)

(*) Do not confuse with stripe_official.

Description

The method stripejsValidationModuleFrontController::initContent() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

Please note, this addons had already been exploited by malicious network to hijack several shops.

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: none
  • User interaction: none
  • Scope: unchanged
  • Confidentiality: high
  • Integrity: high
  • Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

  • Technical and personal data leaks
  • Obtain admin access
  • Remove all data of the linked PrestaShop
  • Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

Proof of concept

curl -v -X POST -d 'fc=module&module=stripejs&controller=validation&source_type=alipay&payment_intent=test%22%3BSELECT%20SLEEP%2825%29%3B%23' 'https://domain.tld/'

Patch of release 4.5.2 to 4.5.5

--- 4.5.2/stripejs/controllers/front/validation.php
+++ 4.5.5/stripejs/controllers/front/validation.php
@@ -46,24 +46,28 @@ class stripejsValidationModuleFrontContr
         $history_page = $this->context->link->getPageLink('history', true);
         $conveyor = array();
 
+        if (!$this->context->cookie->logged) {
+            return die('<h2>' . $this->module->l('Your transaction will be validated soon.') . '</h2>');
+        }
+
         if (Tools::getIsset('stripe_checkout') && Tools::getValue('stripe_checkout') == 'failed') {
             Tools::redirect($order_page);
-        } elseif (Tools::getIsset('payment_intent') && Tools::getIsset('redirect_status') && Tools::getValue('redirect_status') == failed) {
+        } elseif (Tools::getIsset('payment_intent') && Tools::getIsset('redirect_status') && Tools::getValue('redirect_status') == 'failed') {
 
             $intent = \Stripe\PaymentIntent::retrieve(Tools::getValue('payment_intent'));
             $pi_error = (!empty($intent->last_payment_error) ? $intent->last_payment_error->message : (isset($intent->error) ? $intent->error->message : ''));
             Tools::redirect($this->context->link->getPageLink('order', true, null, array('stripe_error' => $pi_error)));
         } else {
-            //sleep(2);
+
             if (Tools::getIsset('payment_intent')) {
-                $conveyor['cart_id'] = Db::getInstance()->getValue('SELECT id_cart FROM ' . _DB_PREFIX_ . 'stripejs_transaction WHERE id_payment_intent = "' . Tools::getValue('payment_intent') . '" AND type = "payment"');
+                $conveyor['cart_id'] = Db::getInstance()->getValue('SELECT id_cart FROM ' . _DB_PREFIX_ . 'stripejs_transaction WHERE id_payment_intent = "' . pSQL(Tools::getValue('payment_intent')) . '" AND type = "payment"');
                 $conveyor['token'] = Tools::getValue('payment_intent');
             } elseif (!empty($this->context->cart->id)) {
                 $conveyor['cart_id'] = $this->context->cart->id;
                 $conveyor['token'] = Db::getInstance()->getValue('SELECT id_payment_intent FROM ' . _DB_PREFIX_ . 'stripejs_transaction WHERE id_cart = ' . $conveyor['cart_id'] . ' AND type = "payment"');
             } elseif (Tools::getIsset('cid')) {
-                $conveyor['cart_id'] = Tools::getValue('cid');
-                $conveyor['token'] = Db::getInstance()->getValue('SELECT id_payment_intent FROM ' . _DB_PREFIX_ . 'stripejs_transaction WHERE id_cart = ' . Tools::getValue('cid') . ' AND type = "payment"');
+                $conveyor['cart_id'] = (int) Tools::getValue('cid');
+                $conveyor['token'] = Db::getInstance()->getValue('SELECT id_payment_intent FROM ' . _DB_PREFIX_ . 'stripejs_transaction WHERE id_cart = ' . (int) Tools::getValue('cid') . ' AND type = "payment"');
             }
 
             $id_order = (int) Order::getOrderByCartId((int) $conveyor['cart_id']);
@@ -76,13 +80,13 @@ class stripejsValidationModuleFrontContr
 
                 $this->setTemplate('module:stripejs/views/templates/hook/payment_validation.tpl');
                 if (Tools::getValue('attempt') < 4) {
-                    $arr_content = array('content_only' => 1, 'attempt' => (int) Tools::getValue('attempt') + 1, 'cid' => $conveyor['cart_id']);
+                    $arr_content = array('content_only' => 1, 'attempt' => (int) Tools::getValue('attempt') + 1, 'cid' => (int) $conveyor['cart_id']);
                     $this->context->smarty->assign(array(
                         'reload' => 1,
                         'reloadURL' => $this->context->link->getModuleLink($this->module->name, 'validation', $arr_content, true),
                     ));
                 } else {
-                    $conveyor['source_type'] = $result_json->payment_method_details->type;
+                    $conveyor['source_type'] = NULL;
                     $this->module->processPayment($conveyor);
                 }
             }

Other recommandations

  • It’s recommended to upgrade to the latest version of the module stripejs.
  • Upgrade PrestaShop beyong 1.7.8.8 (and 8.0.1) to disable multiquery executions (separated by “;”).
  • Change the default database prefix ps_ by a new longer arbitrary prefix. Nethertheless, be warned that this is useless against blackhat with DBA senior skilled because of a design vulnerability in DBMS
  • Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

Timeline

Date

Action

July 2022

Security issue report to the author

September 2022

Author publish release with partial fix 4.5.3

2022-12-27

Contact PrestaShop addons to ask a fix

2023-01-05

Author publish release with all fixed 4.5.5

2023-01-10

Request a CVE ID

2023-03-01

Publish this security advisory

Links

  • PrestaShop addons product page
  • National Vulnerability Database

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE