Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request from GHSA-2jx3-5j9v-prpp
Validate order by and order way
- Loading branch information
Showing
1 changed file
with
5 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
b3ec4b8
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So apparently there is unfiltered value returned by toLegacyOrderWay() (I'm doubt full of it see below)
If this is the case CHANGE the function, not simply one module otherwise it is an open door for other modules.
Why I'm doubtfull ? Because toLegacyOrderWay() calls getDirection() which return $this->direction. $this->direction is set by setDirection() (during construct) and tests are done against values asc, desc, random otherwise exception. How can this lead to sql injection
b3ec4b8
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@doekia this issue is not with
toLegacyOrderWay
. The SQL injection can be reproduced because of the usage oftoLegacyOrderBy
(nottoLegacyOrderWay
) combined with a wrong usage ofgetLegacyPrefix
. I can confirm the exploit. The usage ofValidate::isOrderBy($sortOrder)
is fixing the issue.b3ec4b8
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Therefore I repeat, the function that need to be patched SHOULD BE toLegacyOrderBy() that should implement the Validate::isOrderBy() before returning values.
Such way will protect ANY modules that use the framework function toLegacyOrderBy()
b3ec4b8
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you tell me if the vulnerability in the module is also in Prestashop 1.6.1.24 version of blockwishlist 1.3.2 ?
b3ec4b8
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Pilypas . No it's not. Please refer to GHSA-2jx3-5j9v-prpp