SQL injection vulnerability found in the module “PayPal Official Module” (aka paypal) for PrestaShop from 3.12.0 to 3.16.3. (3.16.4 fix the issue) allow a remote attacker to gain privileges.

Summary

Description

Up to 3.16.3 (3.16.4 fix the issue), a sensitive SQL call in file ipn.php can be executed with a trivial http call and exploited to forge a blind SQL injection through the POST or GET submitted variable receiver_email.

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: none
  • User interaction: none
  • Scope: unchanged
  • Confidentiality: high
  • Integrity: high
  • Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

  • Technical and personal data leaks
  • Obtain admin access
  • Remove all data of the linked PrestaShop
  • Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

Patch

diff --git a/ipn.php b/ipn.php
index 45525e99..e7808233 100644
--- a/ipn.php
+++ b/ipn.php
@@ -255,5 +255,5 @@ public function getResult()
     }
 } elseif (Tools::isSubmit('custom') && (int)Configuration::get('PAYPAL_PAYMENT_METHOD') == HSS) {
     $custom = Tools::jsonDecode(Tools::getValue('custom'), true);
-    Db::getInstance()->insert('paypal_hss_email_error', array('id_cart' => $custom['id_cart'], 'email' => Tools::getValue('receiver_email')));
+    Db::getInstance()->insert('paypal_hss_email_error', array('id_cart' => (int) $custom['id_cart'], 'email' => pSQL(Tools::getValue('receiver_email', ''))));
 }

See also

You can also install an adhoc module that verify and patch if necessary the vulnerability by following this knowledge base.

Other recommendations

  • It’s recommended to upgrade the module beyond 3.16.3.
  • Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality WILL NOT protect your SHOP against injection SQL which uses the UNION clause to steal data.
  • Change the default database prefix ps_ by a new longer arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
  • Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

Timeline

Date Action
2023-03-28 TouchWeb.fr discover the vulnerability during an audit
2023-03-28 The author verify the scope of versions
2023-03-28 Request a CVE ID
2023-03-28 Inform PayPal and PrestaShop
2023-03-31 Publish this security advisory