SQL injection vulnerability found in the module "Shoppingfeed Prestashop Plugin (Feed&Order)" (aka shoppingfeed) for PrestaShop from 1.4.0 to 1.8.2. (1.8.3 fix the issue) allow a remote attacker to gain privileges.
Description
From 1.4.0 to 1.8.2 (1.8.3 fix the issue), a sensitive SQL call in ShoppingfeedToken::findByToken() can be executed with a trivial http call and exploited to forge a blind SQL injection throught the POST or GET submitted variable token.
Possible malicious usage
- Technical and personal data leaks
- Obtain admin access
- Remove all data of the linked PrestaShop
- Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem
Patch
--- a/modules/shoppingfeed/classes/ShoppingfeedToken.php
+++ b/modules/shoppingfeed/classes/ShoppingfeedToken.php
@@ -138,7 +138,7 @@ public function findByToken($token)
$query = (new DbQuery())
->select('*')
->from(self::$definition['table'])
- ->where("content = '$token'")
+ ->where('content = "' . pSQL($token) . '"')
;
return Db::getInstance(_PS_USE_SQL_SLAVE_)->getRow($query);
See also
Other recommandations
- It’s recommended to upgrade the module beyond 1.8.3.
- Upgrade PrestaShop beyond 1.7.8.8 (and 8.0.1) to disable multiquery executions (separated by “;”).
- Change the default database prefix ps_ by a new longer arbitrary prefix. Nethertheless, be warned that this is useless against blackhat with DBA senior skill because of a design vulnerability in DBMS
- Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.
Timeline
| Date |
Action |
| 2022-10-14 |
Wargan Solutions discover the vulnerability during an audit ordered by Shoppingfeed and 202 ecommerce |
| 2022-10-14 |
Publish the patch release 1.8.3 |
| 2022-10-18 |
Shoppingfeed send a first newsletter to invite all merchands to upgrade up to 1.9.0 |
| 2022-12-12 |
Shoppingfeed send a second reminder to invite all merchands to upgrade |
| 2022-03-28 |
Shoppingfeed send a third reminder to invite all merchands to upgrade up to 1.9.3 |
| 2023-04-18 |
Publish this security advisory |
SQL injection vulnerability found in the module "Shoppingfeed Prestashop Plugin (Feed&Order)" (aka shoppingfeed) for PrestaShop from 1.4.0 to 1.8.2. (1.8.3 fix the issue) allow a remote attacker to gain privileges.
Description
From 1.4.0 to 1.8.2 (1.8.3 fix the issue), a sensitive SQL call in
ShoppingfeedToken::findByToken()can be executed with a trivial http call and exploited to forge a blind SQL injection throught the POST or GET submitted variabletoken.Possible malicious usage
Patch
See also
Other recommandations
Timeline