In the module "Administrative Mandate" (totadministrativemandate) edited by 202 ecommerce, an authenticated user can perform SQL injection in affected versions.
Description
From version 1.2.1 published on 12 October 2012 to 1.7.2 published on 3 December 2020, a sensitive SQL calls in class PDFMandate::mandatePDF() (or pdftot::MandatePDF() for older version before 1.5) can be executed with a trivial http call and exploited to forge a blind SQL injection.
Possible malicious usage
- Obtain admin access
- Remove data on the associated PrestaShop
Proof of concept
curl -v --cookie-jar cookie.txt 'https://domain.tld/authentification?submitLogin=1&emailXXXX&password=YYY && \
curl -v --cookie cookie.txt 'https://domain.tld/modules/totadministrativemandate/pdftot.php?id_order=1%27%3BSELECT%20SLEEP%2825%29%23'
Sample patch for 1.6.2
--- a/totadministrativemandate/pdfmandate15.php
+++ b/totadministrativemandate/pdfmandate15.php
@@ -1166,15 +1166,15 @@ class PDFMandate extends FPDF
$mode = 'D';
$slip = false;
$delivery = false;
$reference = Tools::getValue('id_order');
if (version_compare(_PS_VERSION_, '1.5', '>')) {
- $SQL = 'SELECT `id_order` FROM `'._DB_PREFIX_."orders` WHERE `reference` = '".$reference."' ";
+ $SQL = 'SELECT `id_order` FROM `'._DB_PREFIX_."orders` WHERE `reference` = '".pSQL($reference)."' ";
$id_order = Db::getInstance()->getValue($SQL);
} else {
$id_order = Tools::getValue('id_order');
}
$order = new Order($id_order);
if (
!Validate::isLoadedObject($order)
--- a/totadministrativemandate/pdfmandate16.php
+++ b/totadministrativemandate/pdfmandate16.php
@@ -345,15 +345,15 @@ class PDFMandate extends TCPDF
$mode = 'D';
$slip = false;
$delivery = false;
$reference = Tools::getValue('id_order');
if (version_compare(_PS_VERSION_, '1.5', '>')) {
- $SQL = 'SELECT `id_order` FROM `'._DB_PREFIX_."orders` WHERE `reference` = '".$reference."' ";
+ $SQL = 'SELECT `id_order` FROM `'._DB_PREFIX_."orders` WHERE `reference` = '".pSQL($reference)."' ";
$id_order = Db::getInstance()->getValue($SQL);
} else {
$id_order = Tools::getValue('id_order');
}
$order = new Order($id_order);
if (
!Validate::isLoadedObject($order)
Other recommandations
- It’s recommended to upgrade the module beyong 1.7.2.
- Upgrade PrestaShop up to 1.7.8.8 to disable multi-query executions (separated by ";").
- Change the default database prefix
ps_ by a new longer arbitrary prefix.
Links
Timeline
| Date |
Action |
| 2022-09-26 |
Issue discovered by Touch Web during a code reviews |
| 2022-09-26 |
Contact 202 ecommerce |
| 2022-09-26 |
202 ecommerce answered with scope of release affected and confirm new release are fixed 2 years ago |
| 2022-12-05 |
Request a CVE ID |
| 2023-01-21 |
Obtain the CVE ID from mitre.org |
| 2023-01-30 |
Publish this advisory |
202 ecommerce thanks Touch Web for its courtesy and its help after the vulnerability disclosure.
In the module "Administrative Mandate" (totadministrativemandate) edited by 202 ecommerce, an authenticated user can perform SQL injection in affected versions.
Description
From version 1.2.1 published on 12 October 2012 to 1.7.2 published on 3 December 2020, a sensitive SQL calls in class
PDFMandate::mandatePDF()(orpdftot::MandatePDF()for older version before 1.5) can be executed with a trivial http call and exploited to forge a blind SQL injection.Possible malicious usage
Proof of concept
Sample patch for 1.6.2
Other recommandations
ps_by a new longer arbitrary prefix.Links
Timeline
202 ecommerce thanks Touch Web for its courtesy and its help after the vulnerability disclosure.