By Waqas
E-Root marketplace had its domain seized in 2020.
This is a post from HackRead.com Read the original post: E-Root Marketplace Admin Extradited to US on Computer Fraud Charge

E-Root sold access to compromised devices and had more than 350,000 compromised computer credentials for sale.

A man from Moldova, Sandu Diaconu (31), has been extradited to the United States to face charges related to his operation of the E-Root marketplace, a website that sold access to compromised computers worldwide.

It’s worth noting that the E-Root marketplace had its domain seized in 2020 following a coordinated operation by international law enforcement authorities.

On October 16, 2023, Diaconu was extradited from the UK and appeared in a federal court in Florida the following day. He is charged with conspiring to commit computer and access device fraud, wire fraud, money laundering, and additional computer and access device fraud. If found guilty on all counts, Diaconu could potentially face a maximum sentence of 20 years in prison.

The indictment alleges that Diaconu served as an administrator of the E-Root Marketplace, a website that provided access to compromised computers for an extended period, including servers owned by American businesses and individuals.

To safeguard the privacy of its administrators, customers, and vendors, the Marketplace implemented certain measures. Through E-Root, buyers could search for compromised computer credentials, such as RDP and SSH access, tailored to their preferences, including criteria like price, location, operating system, and internet service provider.

The Marketplace also utilized Bitcoin and the online payment service Perfect Money to conceal the money paid by customers. The platform additionally offered a conversion service between Bitcoin and Perfect Money through its separate cryptocurrency exchange, which was also seized by the authorities.

According to the DoJ’s press release, the Marketplace had over 350,000 compromised computer credentials available for sale. Victims spanned across multiple industries and regions, including various companies, businesses, and at least one local government agency.

Furthermore, several of the affected companies experienced Ransomware attacks with extensive ramifications for victims, and some of the pilfered credentials listed on the Marketplace were linked to tax fraud schemes involving stolen identities.

Domain Seizure Notice for E-Root.

The IRS-CI Cyber Crimes Unit in Washington, D.C., and the FBI-Tampa Division jointly spearheaded the investigation. Several key entities played a substantial role in this effort, including the Tampa Field Office of the IRS-Criminal Investigation, the Department of Justice’s Office of International Affairs, IRS-CI and FBI International Operations at Mission UK, the United Kingdom’s National Extradition Unit, the United Kingdom’s Central Authority, and the Tampa Field Office of the United States Marshals Service.

This case is a reminder of the growing threat of cybercrime and the importance of international cooperation in combating it. The United States Department of Justice is committed to working with its partners around the world to bring perpetrators of cybercrime to justice.

****_RELATED ARTICLES_****

1.  Finnish Dark Web Marketplace PIILOPUOTI Seized
2.  Student Ran Germany’s Largest Dark Web Market DiDW
3.  8 Online Best Dark Web Search Engines for Tor Browser
4.  179 Dark Web vendors arrested, 500kg worth of drugs seized
5.  Domain, server of DoubleVPN used by ransomware gangs seized

E-Root Marketplace Admin Extradited to US on Computer Fraud Charge

**PRESS RELEASE**

**AUSTIN, Texas** – **Oct. 10, 2023** – SailPoint Technologies, Inc., a leader in enterprise identity security, today released the findings from the 2023 edition of its annual research report, ‘The Horizons of Identity Security,’ at Navigate 2023. Produced in collaboration between SailPoint and Accenture, a leading global professional services company, the report is based on insights from more than 375 global cybersecurity executives across the Americas, Europe and Asia. The goal was to examine the current state and future direction of the identity security market.

With 90% of cybersecurity breaches being identity related, identity security is the most important security aspect that every organization must get right. Yet, findings from the Horizons of Identity Security report show that 44% of companies are still at the beginning of their identity journeys. And, concerningly, even mature companies cover less than 70% of the identities in their organizations through foundational governance capabilities. However, respondents noted that communicating the business value of identity security to executives is a key challenge. This underscores the need for identity security advocates to build executive-friendly business cases that are tailored to their audiences’ strategic priorities and value-driven mindset.

A worrying 77% of respondents indicate that “limited executive sponsorship or focus” is a primary obstacle to investment in identity security, second only to budgetary constraints (91%). However, report findings clearly demonstrate that a strong identity security program can power business agility and innovation, risk mitigation, efficiency gains, and advancement of tech initiatives. For example, it can accelerate organizational change by as much as 30% through quicker integration of identities, applications, data and infrastructure. 

“A strong identity security program can generate real value for today’s organizations, but that value isn’t always obvious to business stakeholders,” said Matt Mills, President of Worldwide Field Operations, SailPoint. “In today’s threat landscape, stopping just one breach can save millions of dollars in lost revenue, regulatory fines, and reputational damage. It’s important for security teams to have the information they need to communicate their needs in an outcomes-based way. Focusing on the business value that identity security drives is going to resonate best with executives and help them understand the pressing need to accelerate their identity maturity if they want to avoid becoming the next major victim.”

Identity ecosystems are becoming increasingly complex and a preferred attack vector for threat actors. According to the report findings, on average more than 30% of the identities in an organization are not properly covered by identity solutions, with particular gaps around third-party identities, machine identities and data. Bringing those identities under the umbrella of a strong identity management program is essential for breach avoidance. Foundational security capabilities accelerate incident response, prevent bad actors from authenticating into internal systems and limit excessive access rights for employees — which survey respondents selected as the most common security deficiency enabling breaches.

Among other notable findings in the report was the fact that AI-based solutions have proven to be a potent accelerator, helping businesses add advanced new capabilities and drive greater agility. Encouragingly, the report shows a growing number of organizations are exploring AI-backed dynamic trust models to evolve access based on user behavior. The findings also show that companies leveraging SaaS, AI and automation scale a notable 10-30% faster and get more value for their security investment through increased capability utilization. More specifically, an identity platform leveraging automation and AI enables companies to scale identity-related capabilities up to 37% faster than companies without AI enablement. 

“Organizations are facing unprecedented challenges when it comes to managing their complex identity environments and massive data sets,” said Damon McDougald, the global Security Digital Identity lead at Accenture. “While advanced technologies like artificial intelligence and generative AI are making it easier to expedite, manage and scale identity security initiatives many organizations are still at the start of their journeys. Organizations should view this as an opportunity to accelerate their identity maturity timetable and establish a foundation for a secure digital transformation.”

**Adoption Assessment tool**

SailPoint is launching a new adoption assessment tool that can help organizations assess their current capabilities, as well as how they stack up against their peers. The tool can help businesses identify what their greatest barriers to stronger identity security are, and how they can generate greater business value by investing in identity. To access the adoption assessment tool, click here. 

SailPoint’s flagship ‘Navigate: Identity Security Accelerated’ conference kicks off in Austin, Texas on October 9th, and will be followed by a series of global events in London, Singapore, Sydney, Washington DC, Toronto and São Paulo. To register, visit the Navigate website.

**2023 Horizons of Identity Security Resources**

*   To download a copy of the 2023 Horizons of Identity Report, click here. 
*   Read more about the report’s top findings in this SailPoint blog. 
*   For a snapshot of the report’s key findings, click here. 
*   To reference the 2022 Horizons of Identity Report or take the maturity assessment, click here. 

**About SailPoint**

SailPoint is a leading provider of identity security for the modern enterprise. Enterprise security starts and ends with identities and their access, yet the ability to manage and secure identities today has moved well beyond human capacity. Using a foundation of artificial intelligence and machine learning, the SailPoint Identity Security Platform delivers the right level of access to the right identities and resources at the right time—matching the scale, velocity, and environmental needs of today’s cloud-oriented enterprise. Our intelligent, autonomous, and integrated solutions put identity security at the core of digital business operations, enabling even the most complex organizations across the globe to build a security foundation capable of defending against today’s most pressing threats.

SailPoint Unveils Annual 'Horizons of Identity Security' Report

Two weeks after the first data leak from the DNA ancestry service, the threat actor produces an additional 4 million user records they purportedly stole.

A threat actor who claimed responsibility for the compromise of the 23AndMe site earlier this month has released a new dataset, including the records of more than 4 million people's genetic ancestry.

The cybercriminal, known by the handle Golem, alleges in a cybercrime Dark Web forum the stolen data includes information on, "the wealthiest people living in the US and Western Europe," according to reports.

23andMe spokesperson Andy Kill said in a statement the organization is still trying to confirm whether the most recently leaked data is genuine.

Prior to this most recent leak, an Oct. 1 post on a Dark Web forum by Golem claimed they have a total of 20 million individual pieces of 23andMe data and leaked 1 million lines of data as a teaser, along with an offer to bulk sell data profiles.

23andMe confirmed in early October that users who opted to share information through its "DNA Relatives" were impacted and suggested the breach was a result of a credential stuffing cyberattack.

"After learning of suspicious activity, we immediately began an investigation," 23andMe's disclosure said. "While we are continuing to investigate this matter, we believe threat actors were able to access certain accounts in instances where users recycled login credentials — that is, usernames and passwords that were used on 23andme were the same as those used on other websites that have been previously hacked."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

23AndMe Hacker Leaks New Tranche of Stolen Data








In Weintek's cMT3000 HMI Web CGI device, the cgi-bin command_wb.cgi contains a stack-based buffer overflow, which could allow an anonymous attacker to hijack control flow and bypass login authentication.



CVE-2023-38584

### Summary
It seems that any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. This could probably be posted as an issue and I might even be able to put together a pull request for a fix (if only I had some extra time...), but I decided to instead post as a vulnerability just for the maintainers, since this seemingly can be used to crash any live Directus server if websockets are enabled, so public disclosure is not a good idea until the issue is fixed.

### Details
The fix for this seems quite simple; the websocket server just needs to properly catch the error instead of crashing the server. See for example: https://github.com/websockets/ws/issues/2098

### PoC
- Start a fresh Directus server (using for example the compose file here: https://docs.directus.io/self-hosted/docker-guide.html). Enable websockets by setting `WEBSOCKETS_ENABLED: 'true'` environment variable.
- run a separate node app somewhere else to send an invalid frame to the server:

```
const WebSocket = require("ws");
const websocket = new WebSocket("ws://0.0.0.0:8055/websocket");
websocket.on("open", function () {
  const chunk = Buffer.from("a180", "hex");
  websocket._socket.write(chunk);
});
```

### Impact
The server crashes with an error: `RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear`. Server needs to be manually restarted to get back online (if there's no recovery mechanism in place, as there often isn't with simple node servers). This was confirmed on a local server, and additionally I was able to crash our staging server with the same code, just pointing to our staging Directus server running at fly.io. It seems to also crash servers running in the [directus.cloud](https://directus.cloud) service. I created https://websocket-test.directus.app/, pointed the above script to the websocket url of that instance and the server does crash for a while. It seems that in there there's a mechanism for bringing the server back up quite fast, but it would be quite trivial for anyone to DoS any server running in directus.cloud by just spamming these invalid frames to the server. 

**Summary**

It seems that any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. This could probably be posted as an issue and I might even be able to put together a pull request for a fix (if only I had some extra time...), but I decided to instead post as a vulnerability just for the maintainers, since this seemingly can be used to crash any live Directus server if websockets are enabled, so public disclosure is not a good idea until the issue is fixed.

**Details**

The fix for this seems quite simple; the websocket server just needs to properly catch the error instead of crashing the server. See for example: websockets/ws#2098

**PoC**

*   Start a fresh Directus server (using for example the compose file here: https://docs.directus.io/self-hosted/docker-guide.html). Enable websockets by setting WEBSOCKETS_ENABLED: 'true' environment variable.
*   run a separate node app somewhere else to send an invalid frame to the server:

    const WebSocket = require("ws");
    const websocket = new WebSocket("ws://0.0.0.0:8055/websocket");
    websocket.on("open", function () {
      const chunk = Buffer.from("a180", "hex");
      websocket._socket.write(chunk);
    });
    

**Impact**

The server crashes with an error: RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear. Server needs to be manually restarted to get back online (if there's no recovery mechanism in place, as there often isn't with simple node servers). This was confirmed on a local server, and additionally I was able to crash our staging server with the same code, just pointing to our staging Directus server running at fly.io. It seems to also crash servers running in the directus.cloud service. I created https://websocket-test.directus.app/, pointed the above script to the websocket url of that instance and the server does crash for a while. It seems that in there there's a mechanism for bringing the server back up quite fast, but it would be quite trivial for anyone to DoS any server running in directus.cloud by just spamming these invalid frames to the server.

**References**

*   GHSA-hmgw-9jrg-hf2m
*   directus/directus@243eed7
*   https://github.com/directus/directus/releases/tag/v10.6.2

GHSA-hmgw-9jrg-hf2m: Directus crashes on invalid WebSocket message

Several countries in Europe as well as the United States and Japan were involved in the operation, which is aimed at defanging one of the bigger names in ransomware.

In an ongoing operation conducted by law enforcement, Ragnar Locker's Tor negotiation and data leak sites were taken down and replaced with a notice stating that the websites had been seized in a "coordinated international law enforcement action."

Europol is involved in taking action against the ransomware group, as well as law enforcement officials from the United States, and Japan. According to a Europol spokesperson, a press release will be announced on Oct. 20 when "all actions have been finalized."

"While on the surface, this feels like a win, ultimately it may be no more than an inconvenience for the Ragnar group if they are able to quickly set up other servers to replace these," stated Erick Kron, security awareness advocate at KnowBe4. "In addition, this could cause problems for people whose organizations have been impacted by a ransomware attack but have now lost a method to negotiate with the bad actors. Unless the websites that were seized contain information or decryption keys for these people, it could significantly delay their ability to recover."

It is still unclear as to whether or not any arrests have been made or if any stolen funds were recovered. 

According to Dragos, the group is known for focusing on the energy sector. In the past, Ragnar Locker has been tied to various attacks, including when it hit the Mayanei Hayeshua Medical Center in Bnei Brak just this past summer, and when it targeted TAP Air Portugal's systems and claimed to have stolen data. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Europol Strike Wounds Ragnar Locker Ransomware Group

By Deeba Ahmed
It is unclear how long Cisco will take to release a patch.
This is a post from HackRead.com Read the original post: Cisco Web UI Vulnerability Exploited Massly, Impacting Over 40K Devices

The US had the most compromised devices (4,659) with a backdoor installed as a result of the Cisco Web UI vulnerability followed by the Philippines (over 3,200).

****_KEY FINDINGS_****

**Cisco released a security advisory on October 16 to warn users about a critical zero-day privilege escalation vulnerability in its IOS XE Web UI software.**

**As per Censys, the company tracking the vulnerability, by October 18 the number of infections had increased from the previously reported 34,140 to 41,983 hosts, while 34,140 had backdoor installed**

**It is tracked as CVE-2023-20198 and has been used to exploit tens of thousands of devices.**

**The US had the highest number of compromised devices followed by the Philippines.**

A critical cybersecurity threat disclosed by Cisco has resulted in mass exploitation of its devices, with the number of impacted systems surpassing 40,000 hosts worldwide. Nonprofit security group Shadowserver has detected over 32,800 devices compromised so far.

On the other hand, Censys has been tracking this vulnerability and in its blog post, the company explained that due to active exploitation of this security flaw tens of thousands of devices could be affected.

The company scanned the impacted Cisco devices and found that most belonged to telecom firms offering internet services to business and home users, including AT&T. The US had the highest number of compromised devices with a backdoor installed (4,659) followed by the Philippines (over 3,200).

Hackread.com had reported that the vulnerability, tracked as CVE-2023-20198, was discovered in the Cisco IOS XE software’s Web UI feature. Cisco warned customers about the vulnerability affecting Cisco RV320 and RV325 routers, explaining that it allows a remote unauthorized attacker to create an account on the compromised system with privilege level 15 access and go on to gain full control of the device. 

The vulnerability affects the IOS XE Software Web UI feature because it is enabled by default in the devices. Cisco recommends users disable the HTTP server feature on every internet-connected system to prevent exploitation. Attackers exploiting this flaw are hijacking routers from telecom firms. Cisco has confirmed that since at least mid-September, threat actors have been exploiting it as a zero-day.

The vulnerability was first discovered in March 2023, and an uptick in attacks exploiting it was observed from mid-September. Moreover, a highly sophisticated actor is suspected to be exploiting it, which hints at the launch of a targeted and coordinated campaign while Cisco is still working on a patch to fix it.

In its threat advisory published on October 16th, 2023, Cisco stated that the actor exploited the old, already patched vulnerability (CVE-2021-1435) to install the implant after obtaining access to the device.

> _“We have also seen devices fully patched against CVE-2021-1435 getting the implant successfully installed through an as-of-yet undetermined mechanism.”_
> 
> CISCO

It is a serious security threat as the vulnerability has the highest criticality score of 10. The IOS XE software is an essential component of Cisco switches, wireless controller products, and routers. The vulnerability is critical enough to enable a complete takeover of Cisco devices, granting threat actors the ability to effortlessly monitor network traffic or present phishing pages loaded with harmful malware.

Reportedly, 469 of the compromised devices were registered at AT&T for residential and business clients. The company uses enterprise-grade Cisco XE routers, so small-sized organizations and individuals would likely be vulnerable to this threat instead of large corporations.

The risks posed by the vulnerability are wide-ranging, as attackers can leverage access to compromised devices to disrupt network operations, steal sensitive data, and launch new attacks against other systems on the network.

It is unclear how long Cisco will take to release a patch. Meanwhile, users must scan their devices for infection and disable the HTTP server feature, implement network segmentation, and monitor network traffic for suspicious activity.

****_RELATED ARTICLES_****

1.  Cisco’s new tool will detect malware in encrypted traffic
2.  New 19 CISA Advisories Highlight Vulnerabilities in Top ICS Products
3.  New Akira Ransomware Targets Businesses via Exploited CISCO VPNs
4.  Ex-employee hacked Cisco’s AWS Infrastructure; erased virtual machines
5.  Unpatched Cisco Catalyst SD-WAN Manager Systems Exposed to DoS Attacks

Cisco Web UI Vulnerability Exploited Massly, Impacting Over 40K Devices

DM Concept configurator before v4.9.4 was discovered to contain a SQL injection vulnerability via the component ConfiguratorAttachment::getAttachmentByToken.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org** or visit https://security-presta.org for more information.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “Advanced configurator for customized product” (configurator) up to version 4.9.3 from DM Concept for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-43986
*   **Published at**: 2023-10-19
*   **Platform**: PrestaShop
*   **Product**: configurator
*   **Impacted release**: <= 4.9.3 (4.9.4 fixed the vulnerability)
*   **Product author**: DM Concept
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The method ConfiguratorAttachment::getAttachmentByToken has a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.

**WARNING** : This exploit is actively used to deploy a webskimmer to massively steal credit cards.

This exploit uses a PrestaShop front controller and most attackers can conceal the module controller’s path during the exploit, so you will never know within your conventional frontend logs that it exploits this vulnerability. **You will only see “POST /” inside your conventional frontend logs.** Activating the AuditEngine of mod\_security (or similar) is the only way to get data to confirm this exploit.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 4.9.3**

    --- 4.9.3/modules/configurator/classes/ConfiguratorAttachment.php
    +++ 4.9.4/modules/configurator/classes/ConfiguratorAttachment.php
        public static function getAttachmentByToken($token)
        {
            $query = new DbQuery();
            $query->select('*')
                ->from('configurator_attachment')
    -           ->where('token = "' . $token . '"');
    +           ->where('token = "' . pSQL($token) . '"');
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **configurator**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

DM Concept thanks TouchWeb for its courtesy and its help after the vulnerability disclosure.

**Timeline**

Date

Action

2023-07-20

Issue discovered during a code review by TouchWeb.fr

2023-07-20

Contact PrestaShop Addons security Team to confirm versions scope by author

2023-07-20

PrestaShop Addons security Team confirm versions scope

2023-07-20

Author provide a patch

2023-07-25

Request a CVE ID

2023-10-11

Received CVE ID

2023-10-19

Publish this security advisory

**Links**

*   PrestaShop addons product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-43986: [CVE-2023-43986] Improper neutralization of SQL parameter in DM Concept - Advanced configurator for customized product module for PrestaShop

In the module "Creative Popup" (creativepopup) up to version 1.6.9 from WebshopWorks for PrestaShop, a guest can perform SQL injection via `cp_download_popup().`

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org** or visit https://security-presta.org for more information.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “Creative Popup” (creativepopup) up to version 1.6.9 from WebshopWorks for PrestaShop, a guest can perform SQL injection in affected versions.

**Summary**

*   **CVE ID**: CVE-2023-45381
*   **Published at**: 2023-10-19
*   **Platform**: PrestaShop
*   **Product**: creativepopup
*   **Impacted release**: <= 1.6.9 (1.6.10 fixed the vulnerability)
*   **Product author**: WebshopWorks
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The function cp_download_popup() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

**WARNING** : Be warned that this exploit will bypass some WAF.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data from the associated PrestaShop
*   Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijack emails

**Patch from 1.6.9**

    --- 1.6.9/modules/creativepopup/helper.php
    +++ XXXXX/modules/creativepopup/helper.php
    ...
    $import = new CpImportUtil($destination);
                try {
                    method_exists('Tools', 'deleteFile') ? Tools::deleteFile($destination) : unlink($destination);
                } catch (Exception $ex) {
                    // TODO
                }
                // rename imported popup
                $title = !empty(${'_COOKIE'}['cpNewTitle']) ? ${'_COOKIE'}['cpNewTitle'] : 'Unnamed';
                setcookie('cpNewTitle', '', 1);
    -           Db::getInstance()->update('creativepopup', array('name' => $title), 'id = '.$import->lastImportId);
    +           Db::getInstance()->update('creativepopup', array('name' => pSQL($title)), 'id = '.$import->lastImportId);
                // redirect after import
    
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **creativepopup**.
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality **WILL NOT** protect your SHOP against injection SQL which uses the UNION clause to steal data.
*   Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skills because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-05-04

Issue discovered during a code review by TouchWeb.fr

2023-05-04

Contact PrestaShop Addons security Team to confirm versions scope by author

2023-05-04

PrestaShop Addons security Team confirm versions scope

2023-05-19

Request a CVE ID

2023-10-11

Received CVE ID

2023-10-19

Publish this security advisory

**Links**

*   PrestaShop addons product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-45381: [CVE-2023-45381] Improper neutralization of SQL parameter in WebshopWorks Creative Popup module for PrestaShop


The affected product is vulnerable to a cross-site scripting vulnerability, which could allow an attacker to access the web application to introduce arbitrary Java Script by injecting an XSS payload into the 'hostname' parameter of the vulnerable software.



Tag

#web