[CVE-2022-22897] Major updates > SQL Injections in PrestaShop appagebuilder module up to 2.4.5

PrestaShop Ap Pagebuilder module versions 2.4.5 and below suffer from several remote SQL injection vulnerability.

Summary

• CVE ID: CVE-2022-22897
• Published at: 2022-09-25
• Updated at: 2023-01-05
• Advisory source: Friends-Of-Presta
• Platform: PrestaShop
• Product: appagebuilder
• Impacted release: <=2.4.5
• Product author: apollotheme / leo theme
• Weakness: CWE-89
• Severity: critical (9.8)

Description

On AP PAGEBUILDER PrestaShop module <= 2.4.5 contents many improper neutralization parameters including ‘product_all_one_img’ and ‘image_product’.

WARNING : Be aware that versions from 2.0.0 to 2.4.3+ (exact release is not determined) own another sql injection which will certainly bypass your WAF (base64 payloads) so you should upgrade asap to 2.4.5.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: none
• User interaction: none
• Scope: unchanged
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

• Obtain admin access
• Technical and personal data leaks

Proof of concept

Initial POC

curl -v 'https://localhost/modules/appagebuilder/apajax.php?rand=1641313272327&leoajax=1&product_all_one_img=1)+or+sleep(4)%23&image_product=0&wishlist_compare=1'
curl -v 'hhttp://localhost/modules/appagebuilder/apajax.php?rand=1641313272327&leoajax=1&product_all_one_img=1&image_product=1)+or+sleep(4)%23&wishlist_compare=1'

New POCs

curl -v 'https://localhost/modules/appagebuilder/apajax.php?leoajax=1&product_manufacture=1,1)+or+sleep(4)%23--'

POC which bypass WAF is not supplied.

Patch

Disclamer: These patches are based on available known versions installed on PrestaShop. This advisory try to do its best to be useful for everyone who want to fix critical vulnerabilities.

Release 2.4.5

--- a/apajax.php
+++ b/apajax.php
@@ -71,7 +71,7 @@ if (Tools::getValue('leoajax') == 1) {
 					FROM `'._DB_PREFIX_.'product` p
 					'.Shop::addSqlAssociation('product', 'p').'
 					LEFT JOIN `'._DB_PREFIX_.'category_product` cp ON p.`id_product` = cp.`id_product`
-					WHERE cp.`id_category` IN ('.$list_cat.')
+					WHERE cp.`id_category` IN ('.implode(', ', array_map('intval', explode(',', $list_cat))).')
 				AND product_shop.`visibility` IN ("both", "catalog")
 				AND product_shop.`active` = 1
 				GROUP BY cp.`id_category`';
@@ -84,6 +84,7 @@ if (Tools::getValue('leoajax') == 1) {
     if ($leo_pro_cdown) {
         $leo_pro_cdown = explode(',', $leo_pro_cdown);
         $leo_pro_cdown = array_unique($leo_pro_cdown);
+        $leo_pro_cdown = array_map('intval', $leo_pro_cdown); // fix sql injection
         $leo_pro_cdown = implode(',', $leo_pro_cdown);
         $result['pro_cdown'] = $module->hookProductCdown($leo_pro_cdown);
     }
@@ -91,6 +92,7 @@ if (Tools::getValue('leoajax') == 1) {
     if ($leo_pro_color) {
         $leo_pro_color = explode(',', $leo_pro_color);
         $leo_pro_color = array_unique($leo_pro_color);
+        $leo_pro_color = array_map('intval', $leo_pro_color); // fix sql injection
         $leo_pro_color = implode(',', $leo_pro_color);
         $result['pro_color'] = $module->hookProductColor($leo_pro_color);
     }
@@ -99,6 +101,7 @@ if (Tools::getValue('leoajax') == 1) {
     if ($product_list_image) {
         $product_list_image = explode(',', $product_list_image);
         $product_list_image = array_unique($product_list_image);
+        $product_list_image = array_map('intval', $product_list_image); // fix sql injection
         $product_list_image = implode(',', $product_list_image);
 
         # $leocustomajax = new Leocustomajax();
@@ -107,6 +110,7 @@ if (Tools::getValue('leoajax') == 1) {
     if ($product_one_img) {
         $product_one_img = explode(',', $product_one_img);
         $product_one_img = array_unique($product_one_img);
+        $product_one_img = array_map('intval', $product_one_img); // fix sql injection
         $product_one_img = implode(',', $product_one_img);
 
         $result['product_one_img'] = $module->hookProductOneImg($product_one_img);

--- a/appagebuilder.php
+++ b/appagebuilder.php
@@ -2887,7 +3050,7 @@ class APPageBuilder extends Module imple
     {
         $where = '';
         if (strpos($manuid, ',') !== false) {
-            $where = ' WHERE `id_manufacturer` IN(' . $manuid . ')';
+            $where = ' WHERE `id_manufacturer` IN(' . implode(', ', array_map('intval', explode(',', $manuid))) . ')';
         } else {
             $where = ' WHERE `id_manufacturer` = ' . (int) $manuid;
         }
@@ -2937,7 +3100,7 @@ class APPageBuilder extends Module imple
         $link = new Link($protocol_link, $protocol_content);
 
         $id_lang = Context::getContext()->language->id;
-        $where = ' WHERE i.`id_product` IN ('.$list_pro.') AND (ish.`cover`=0 OR ish.`cover` IS NULL) AND ish.`id_shop` = '.Context::getContext()->shop->id;
+        $where = ' WHERE i.`id_product` IN ('.implode(', ', array_map('intval', explode(',', $list_pro))).') AND (ish.`cover`=0 OR ish.`cover` IS NULL) AND ish.`id_shop` = '.Context::getContext()->shop->id;
         $order = ' ORDER BY i.`id_product`,`position`';
         $limit = ' LIMIT 0,1';
         //get product info 
@@ -2973,7 +3136,7 @@ class APPageBuilder extends Module imple
 
         $id_lang = Context::getContext()->language->id;
         $image_product = Tools::getValue('image_product');
-        $where = ' WHERE i.`id_product` IN ('.$list_pro.') AND i.`id_image` NOT IN ('.$image_product.') AND ish.`id_shop` = '.Context::getContext()->shop->id;
+        $where = ' WHERE i.`id_product` IN ('.implode(', ', array_map('intval', explode(',', $list_pro))).') AND i.`id_image` NOT IN ('.implode(', ', array_map('intval', explode(',', $image_product))).') AND ish.`id_shop` = '.Context::getContext()->shop->id;
         $order = ' ORDER BY i.`id_product`,`position`';
         $limit = ' LIMIT 0,1';
         //get product info
      }

Release 2.0.x to 2.3.x

--- a/apajax.php
+++ b/apajax.php
@@ -111,6 +111,7 @@ if (Tools::getValue('leoajax') == 1) {
     if ($leo_pro_cdown) {
         $leo_pro_cdown = explode(',', $leo_pro_cdown);
         $leo_pro_cdown = array_unique($leo_pro_cdown);
+        $leo_pro_cdown = array_map('intval', $leo_pro_cdown); // fix sql injection
         $leo_pro_cdown = implode(',', $leo_pro_cdown);
         $result['pro_cdown'] = $module->hookProductCdown($leo_pro_cdown);
     }
@@ -118,6 +119,7 @@ if (Tools::getValue('leoajax') == 1) {
     if ($leo_pro_color) {
         $leo_pro_color = explode(',', $leo_pro_color);
         $leo_pro_color = array_unique($leo_pro_color);
+        $leo_pro_color = array_map('intval', $leo_pro_color); // fix sql injection
         $leo_pro_color = implode(',', $leo_pro_color);
         $result['pro_color'] = $module->hookProductColor($leo_pro_color);
     }
@@ -125,9 +127,10 @@ if (Tools::getValue('leoajax') == 1) {
     if ($product_list_image) {
         $product_list_image = explode(',', $product_list_image);
         $product_list_image = array_unique($product_list_image);
+        $product_list_image = array_map('intval', $product_list_image); // fix sql injection
         $product_list_image = implode(',', $product_list_image);
 
         # $leocustomajax = new Leocustomajax();
         $result['product_list_image'] = $module->hookProductMoreImg($product_list_image);
     }
     
@@ -135,6 +139,7 @@ if (Tools::getValue('leoajax') == 1) {
     if ($product_one_img) {
         $product_one_img = explode(',', $product_one_img);
         $product_one_img = array_unique($product_one_img);
+        $product_one_img = array_map('intval', $product_one_img); // fix sql injection
         $product_one_img = implode(',', $product_one_img);
 
         $result['product_one_img'] = $module->hookProductOneImg($product_one_img);
@@ -142,6 +147,7 @@ if (Tools::getValue('leoajax') == 1) {
     if ($product_attribute_one_img) {
         $product_attribute_one_img = explode(',', $product_attribute_one_img);
         $product_attribute_one_img = array_unique($product_attribute_one_img);
+        $product_attribute_one_img = array_map('intval', $product_attribute_one_img); // fix sql injection
         $product_attribute_one_img = implode(',', $product_attribute_one_img);
 
         $result['product_attribute_one_img'] = $module->hookProductAttributeOneImg($product_attribute_one_img);
@@ -149,7 +155,8 @@ if (Tools::getValue('leoajax') == 1) {
     if ($product_all_one_img) {
         $product_all_one_img = explode(',', $product_all_one_img);
         $product_all_one_img = array_unique($product_all_one_img);
+        $product_all_one_img = array_map('intval', $product_all_one_img); // fix sql injection
         $product_all_one_img = implode(',', $product_all_one_img);
 
         $result['product_all_one_img'] = $module->hookProductAllOneImg($product_all_one_img);
     }

@@ -71,7 +71,7 @@ if (Tools::getValue('leoajax') == 1) {
 					FROM `'._DB_PREFIX_.'product` p
 					'.Shop::addSqlAssociation('product', 'p').'
 					LEFT JOIN `'._DB_PREFIX_.'category_product` cp ON p.`id_product` = cp.`id_product`
-					WHERE cp.`id_category` IN ('.$list_cat.')
+					WHERE cp.`id_category` IN ('.implode(', ', array_map('intval', explode(',', $list_cat))).')
 				AND product_shop.`visibility` IN ("both", "catalog")
 				AND product_shop.`active` = 1
 				GROUP BY cp.`id_category`';

--- a/appagebuilder.php
+++ b/appagebuilder.php
@@ -2033,7 +2033,7 @@ class APPageBuilder extends Module
 		LEFT JOIN `'._DB_PREFIX_.'product_comment_grade` pcg ON (pcg.`id_product_comment` = pc.`id_product_comment`)
 		LEFT JOIN `'._DB_PREFIX_.'product_comment_criterion` pcc ON (pcc.`id_product_comment_criterion` = pcg.`id_product_comment_criterion`)
 		LEFT JOIN `'._DB_PREFIX_.'product_comment_criterion_lang` pccl ON (pccl.`id_product_comment_criterion` = pcg.`id_product_comment_criterion`)
-		WHERE pc.`id_product` in ('.$list_product.')
+		WHERE pc.`id_product` in ('.implode(', ', array_map('intval', explode(',', $list_product))).')
 		AND pccl.`id_lang` = '.(int)$id_lang.
                         ($validate == '1' ? ' AND pc.`validate` = 1' : '')));
     }
@@ -2050,7 +2050,7 @@ class APPageBuilder extends Module
         $result = Db::getInstance(_PS_USE_SQL_SLAVE_)->executeS('
 		SELECT COUNT(pc.`id_product`) AS nbr, pc.`id_product` 
 		FROM `'._DB_PREFIX_.'product_comment` pc
-		WHERE `id_product` in ('.$list_product.')'.($validate == '1' ? ' AND `validate` = 1' : '').'
+		WHERE `id_product` in ('.implode(', ', array_map('intval', explode(',', $list_product))).')'.($validate == '1' ? ' AND `validate` = 1' : '').'
 		AND `grade` > 0 GROUP BY pc.`id_product`');
         return $result;
     }
@@ -2118,7 +2118,7 @@ class APPageBuilder extends Module
         $link = new Link($protocol_link, $protocol_content);
 
         $id_lang = Context::getContext()->language->id;
-        $where = ' WHERE i.`id_product` IN ('.$list_pro.') AND (ish.`cover`=0 OR ish.`cover` IS NULL) AND ish.`id_shop` = '.Context::getContext()->shop->id;
+        $where = ' WHERE i.`id_product` IN ('.implode(', ', array_map('intval', explode(',', $list_pro))).') AND (ish.`cover`=0 OR ish.`cover` IS NULL) AND ish.`id_shop` = '.Context::getContext()->shop->id;
         $order = ' ORDER BY i.`id_product`,`position`';
         $limit = ' LIMIT 0,1';
         //get product info

1.0.0

--- a/apajax.php
+++ b/apajax.php
@@ -57,7 +57,7 @@ if (Tools::getValue('leoajax') == 1) {
                     FROM `'._DB_PREFIX_.'product` p
                     '.Shop::addSqlAssociation('product', 'p').'
                     LEFT JOIN `'._DB_PREFIX_.'category_product` cp ON p.`id_product` = cp.`id_product`
-                    WHERE cp.`id_category` IN ('.$list_cat.')
+                    WHERE cp.`id_category` IN ('.implode(', ', array_map('intval', explode(',', $list_cat))).')
                 AND product_shop.`visibility` IN ("both", "catalog")
                 AND product_shop.`active` = 1
                 GROUP BY cp.`id_category`';
@@ -70,6 +70,7 @@ if (Tools::getValue('leoajax') == 1) {
     if ($leo_pro_cdown) {
         $leo_pro_cdown = explode(',', $leo_pro_cdown);
         $leo_pro_cdown = array_unique($leo_pro_cdown);
+        $leo_pro_cdown = array_map('intval', $leo_pro_cdown);
         $leo_pro_cdown = implode(',', $leo_pro_cdown);
         $result['pro_cdown'] = $module->hookProductCdown($leo_pro_cdown);
     }
@@ -77,6 +78,7 @@ if (Tools::getValue('leoajax') == 1) {
     if ($leo_pro_color) {
         $leo_pro_color = explode(',', $leo_pro_color);
         $leo_pro_color = array_unique($leo_pro_color);
+        $leo_pro_color = array_map('intval', $leo_pro_color);
         $leo_pro_color = implode(',', $leo_pro_color);
         $result['pro_color'] = $module->hookProductColor($leo_pro_color);
     }
@@ -85,6 +87,7 @@ if (Tools::getValue('leoajax') == 1) {
     if ($leo_pro_info) {
         $leo_pro_info = explode(',', $leo_pro_info);
         $leo_pro_info = array_unique($leo_pro_info);
+        $leo_pro_info = array_map('intval', $leo_pro_info);
         $leo_pro_info = implode(',', $leo_pro_info);
 
         # $leocustomajax = new Leocustomajax();
@@ -93,6 +96,7 @@ if (Tools::getValue('leoajax') == 1) {
     if ($leo_pro_add) {
         $leo_pro_add = explode(',', $leo_pro_add);
         $leo_pro_add = array_unique($leo_pro_add);
+        $leo_pro_add = array_map('intval', $leo_pro_add);
         $leo_pro_add = implode(',', $leo_pro_add);
 
         $result['pro_add'] = $module->hookProductOneImg($leo_pro_add);

--- a/appagebuilder..php
+++ b/appagebuilder..php
@@ -1160,12 +1160,12 @@ class APPageBuilder extends Module
             $id_categories = isset($params['categorybox']) ? $params['categorybox'] : '';
             if (isset($params['category_type']) && $params['category_type'] == 'default') {
                 $where .= ' AND product_shop.`id_category_default` '.(strpos($id_categories, ',') === false ?
-                                '= '.(int)$id_categories : 'IN ('.$id_categories.')');
+                                '= '.(int)$id_categories : 'IN ('.implode(', ', array_map('intval', explode(',', $id_categories))).')');
             } else {
                 $sql_join .= ' INNER JOIN '._DB_PREFIX_.'category_product cp		ON (cp.id_product= p.`id_product` )';
                 
                 $where .= ' AND cp.`id_category` '.(strpos($id_categories, ',') === false ?
-                                '= '.(int)$id_categories : 'IN ('.$id_categories.')');
+                                '= '.(int)$id_categories : 'IN ('.implode(', ', array_map('intval', explode(',', $id_categories))).')');
 
                 $sql_group = ' GROUP BY p.id_product';
 
@@ -1174,7 +1174,7 @@ class APPageBuilder extends Module
         $value_by_supplier = isset($params['value_by_supplier']) ? $params['value_by_supplier'] : 0;
         if ($value_by_supplier && isset($params['supplier'])) {
             $id_suppliers = $params['supplier'];
-            $where .= ' AND p.id_supplier '.(strpos($id_suppliers, ',') === false ? '= '.(int)$id_suppliers : 'IN ('.$id_suppliers.')');
+            $where .= ' AND p.id_supplier '.(strpos($id_suppliers, ',') === false ? '= '.(int)$id_suppliers : 'IN ('.implode(', ', array_map('intval', explode(',', $id_suppliers))).')');
         }
         $value_by_product_id = isset($params['value_by_product_id']) ? $params['value_by_product_id'] : 0;
         if ($value_by_product_id && isset($params['product_id'])) {
@@ -1185,13 +1185,13 @@ class APPageBuilder extends Module
             }
 
             $product_id = implode(',', $temp);
-            $where .= ' AND p.id_product '.(strpos($product_id, ',') === false ? '= '.(int)$product_id : 'IN ('.$product_id.')');
+            $where .= ' AND p.id_product '.(strpos($product_id, ',') === false ? '= '.(int)$product_id : 'IN ('.implode(', ', array_map('intval', explode(',', $product_id))).')');
         }
 
         $value_by_manufacture = isset($params['value_by_manufacture']) ? $params['value_by_manufacture'] : 0;
         if ($value_by_manufacture && isset($params['manufacture'])) {
             $id_manufactures = $params['manufacture'];
-            $where .= ' AND p.id_manufacturer '.(strpos($id_manufactures, ',') === false ? '= '.(int)$id_manufactures : 'IN ('.$id_manufactures.')');
+            $where .= ' AND p.id_manufacturer '.(strpos($id_manufactures, ',') === false ? '= '.(int)$id_manufactures : 'IN ('.implode(', ', array_map('intval', explode(',', $id_manufactures))).')');
         }
         $product_type = isset($params['product_type']) ? $params['product_type'] : '';
         $value_by_product_type = isset($params['value_by_product_type']) ? $params['value_by_product_type'] : 0;
@@ -1272,6 +1272,7 @@ class APPageBuilder extends Module
 //            $sql .= ' ORDER BY product_shop.date_add '.(!$get_total ? ' LIMIT '.(int)$n : '');
             $sql .= ' ORDER BY RAND() '.(!$get_total ? ' LIMIT '.(int)$n : '');
         } else {
+            $order_way = Validate::isOrderWay($order_way) ? Tools::strtoupper($order_way) : 'ASC';
             $sql .= ' ORDER BY '.(!empty($order_by_prefix) ? $order_by_prefix.'.' : '').'`'.bqSQL($order_by).'` '.pSQL($order_way)
                     .(!$get_total ? ' LIMIT '.(((int)$p - 1) * (int)$n).','.(int)$n : '');
         }
@@ -1752,16 +1753,18 @@ class APPageBuilder extends Module
         if ($params['order_by'] == 'position') {
             $params['order_by'] = 'id_manufacturer';
         }
+	     $params['order_by'] = Validate::isOrderBy($params['order_by']) ? $params['order_by'] : 'id_manufacturer';
         if (isset($params['order_way']) && $params['order_way'] == 'random') {
             $order = ' RAND()';
         } else {
+	         $params['order_way'] = Validate::isOrderWay($params['order_way']) ? $params['order_way'] : 'DESC';
             $order = (isset($params['order_by']) ? ' '.$params['order_by'] : '').(isset($params['order_way']) ? ' '.$params['order_way'] : '');
         }
         $sql = 'SELECT m.*, ml.`description`, ml.`short_description`
 			FROM `'._DB_PREFIX_.'manufacturer` m
 			'.Shop::addSqlAssociation('manufacturer', 'm').'
 			INNER JOIN `'._DB_PREFIX_.'manufacturer_lang` ml ON (m.`id_manufacturer` = ml.`id_manufacturer` AND ml.`id_lang` = '.(int)$id_lang.')
-			WHERE m.`active` = 1 '.(isset($params['manuselect']) ? 'AND m.`id_manufacturer` IN ('.$params['manuselect'].')' : '').' 
+			WHERE m.`active` = 1 '.(isset($params['manuselect']) ? 'AND m.`id_manufacturer` IN ('.implode(',',array_map('intval',explode(',',$params['manuselect']))).')' : '').' 
 			ORDER BY '.$order;
         $manufacturers = Db::getInstance(_PS_USE_SQL_SLAVE_)->executeS($sql);
         if ($manufacturers === false) {
@@ -1848,7 +1851,7 @@ class APPageBuilder extends Module
 		LEFT JOIN `'._DB_PREFIX_.'product_comment_grade` pcg ON (pcg.`id_product_comment` = pc.`id_product_comment`)
 		LEFT JOIN `'._DB_PREFIX_.'product_comment_criterion` pcc ON (pcc.`id_product_comment_criterion` = pcg.`id_product_comment_criterion`)
 		LEFT JOIN `'._DB_PREFIX_.'product_comment_criterion_lang` pccl ON (pccl.`id_product_comment_criterion` = pcg.`id_product_comment_criterion`)
-		WHERE pc.`id_product` in ('.$list_product.')
+		WHERE pc.`id_product` in ('.implode(',',array_map('intval',explode(',',$list_product))).')
 		AND pccl.`id_lang` = '.(int)$id_lang.
                         ($validate == '1' ? ' AND pc.`validate` = 1' : '')));
     }

Other recommendations

• We highly recommand to remove from your server this module if not used, or upgrade to the latest release of the module appagebuilder up to 2.4.5 and apply all fixes mentionned above.
• To help improve the security of your PrestaShop installation, we recommend upgrading to the latest version. One of the benefits of upgrading is that it will disable the use of multiquery executions (separated by semicolons). However, please be aware that this will not protect your shop against SQL injection attacks that use the UNION clause to steal data. Additionally, it’s important to note that PrestaShop includes a function called pSQL, which includes a strip_tags function. This helps protect your shop against Stored XSS (also known as XSS T2) of Category 1. If a pSQL function is missing, it could potentially expose your project to critical Stored XSS vulnerabilities due to edge cases. Therefore, it’s crucial to ensure that all relevant functions are properly implemented and used consistently throughout your project.
• Change the default database prefix ps_ by a new longer arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

Links

• Author product page
• PrestaShop marketplace product page
• POC
• Partial patch
• National Vulnerability Database