[CVE-2023-30545] Arbitrary file read via the backoffice Database Manager [DEBATE RUNNING ABOUT SCORING FROM PS CORE]

As an admin manager logged, the Database Manager interface let create LOAD_FILE select request.

Summary

CVE ID: CVE-2023-30545
Published at: 2022-05-03
Advisory source: PrestaShop
Platform: PrestaShop
Product: PrestaShop
Impacted release: >= 8.0.0 < 8.0.3 and < 1.7.8.8 (Patched versions 8.0.4 and 1.7.8.9)
Weakness: CWE-22
Severity: medium (6.5)

Description

It is possible for a user having access to the SQL Manager (Advanced Options -> Database) to arbitrary read any file on the Operating system when using SQL function LOAD_FILE in a SELECT request. So It can access to critical information.

CVSS base metrics

Attack vector: network
Attack complexity: high
Privilege required: low
User interaction: required
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Possible malicious usage

Obtain database access
Extract sensitive data, such as tokens or private keys stored in config files
Extract other private data, such as log files or exports

Patch

--- a/classes/RequestSql.php
+++ b/classes/RequestSql.php
@@ -59,7 +59,7 @@ class RequestSqlCore extends ObjectModel
         ],
         'unauthorized' => [
             'DELETE', 'ALTER', 'INSERT', 'REPLACE', 'CREATE', 'TRUNCATE', 'OPTIMIZE', 'GRANT', 'REVOKE', 'SHOW', 'HANDLER',
-            'LOAD', 'ROLLBACK', 'SAVEPOINT', 'UNLOCK', 'INSTALL', 'UNINSTALL', 'ANALZYE', 'BACKUP', 'CHECK', 'CHECKSUM', 'REPAIR', 'RESTORE', 'CACHE',
+            'LOAD', 'LOAD_FILE', 'ROLLBACK', 'SAVEPOINT', 'UNLOCK', 'INSTALL', 'UNINSTALL', 'ANALZYE', 'BACKUP', 'CHECK', 'CHECKSUM', 'REPAIR', 'RESTORE', 'CACHE',
             'DESCRIBE', 'EXPLAIN', 'USE', 'HELP', 'SET', 'DUPLICATE', 'VALUES',  'INTO', 'RENAME', 'CALL', 'PROCEDURE',  'FUNCTION', 'DATABASE', 'SERVER',
             'LOGFILE', 'DEFINER', 'RETURNS', 'EVENT', 'TABLESPACE', 'VIEW', 'TRIGGER', 'DATA', 'DO', 'PASSWORD', 'USER', 'PLUGIN', 'FLUSH', 'KILL',
             'RESET', 'START', 'STOP', 'PURGE', 'EXECUTE', 'PREPARE', 'DEALLOCATE', 'LOCK', 'USING', 'DROP', 'FOR', 'UPDATE', 'BEGIN', 'BY', 'ALL', 'SHARE',
@@ -484,6 +484,15 @@ public function checkedSelect($select, $from, $in = false)
                         }
                     }
                 }
+
+                while (is_array($attribut['sub_tree'])) {
+                    if ($attribut['expr_type'] === 'function' && in_array(strtoupper($attribut['base_expr']), $this->tested['unauthorized'])) {
+                        $this->error_sql['checkedSelect']['function'] = $attribut['base_expr'];
+
+                        return false;
+                    }
+                    $attribut = $attribut['sub_tree'][0];
+                }
             } elseif ($in) {
                 $this->error_sql['checkedSelect']['*'] = false;
 
diff --git a/src/Adapter/SqlManager/SqlQueryValidator.php b/src/Adapter/SqlManager/SqlQueryValidator.php
index fda12566a5c3..466af3264b10 100644
--- a/src/Adapter/SqlManager/SqlQueryValidator.php
+++ b/src/Adapter/SqlManager/SqlQueryValidator.php
@@ -187,6 +187,14 @@ private function getSelectKeywordError(array $legacyError)
             ];
         }
 
+        if (isset($legacyError['function'])) {
+            return [
+                'key' => 'The "%function%" function is not allowed.',
+                'parameters' => ['%function%' => $legacyError['function']],
+                'domain' => 'Admin.Advparameters.Notification',
+            ];
+        }
+
         return [
             'key' => 'Undefined "%s" error',
             'parameters' => [

Other recommendations

It’s recommended to upgrade to the latest version of the PrestaShop 1.7.8.9 or 8.0.4.
Disable local_infile MySQL options if not usefull