In the module “BDroppy- The best brands for your dropshipping business” (bdroppy) for PrestaShop, an attacker can perform a blind SQL injection before 2.2.27. Release 2.2.28 fixed this security issue.

Summary

  • CVE ID: CVE-2023-26865
  • Published at: 2023-04-20
  • Advisory source: Friends-Of-Presta.org
  • Platform: PrestaShop
  • Product: bdroppy
  • Impacted release: < 2.2.28 (2.2.28 fix the security issue)
  • Product author: BDroppy
  • Weakness: CWE-89
  • Severity: critical (9.8)

Description

Befor release 2.2.28, a sensitive SQL calls in class BdroppyCronModuleFrontController::importProducts() can be executed with a trivial http call and exploited to forge a blind SQL injection through the POST or GET submitted “reference” variable.

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: none
  • User interaction: none
  • Scope: unchanged
  • Confidentiality: high
  • Integrity: high
  • Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

  • Technical and personal data leaks
  • Obtain admin access
  • Remove all data of the linked PrestaShop
  • Display sensitives tables to front-office to unlock potential admin’s ajax scripts of modules protected by token on the ecosystem

Proof of concept

curl -v 'https://domain.tld/module/bdroppy/cron?reference=a%27%29%3BSELECT%20SLEEP%2825%29%3B--'

Patch

--- a/bdroppy/controllers/front/cron.php
+++ b/bdroppy/controllers/front/cron.php
@@ -181,7 +181,7 @@ class BdroppyCronModuleFrontController e
                     $query = new DbQuery();
                     $query->select('*')
                         ->from('bdroppy_remoteproduct')
-                        ->where("reference = '" . Tools::getValue('reference') . "'");
+                        ->where("reference = '" . pSQL(Tools::getValue('reference')) . "'");
                     $items = $db->executeS($query);
                 }
                 foreach ($items as $item) {

See also the patch on github

Other recommendations

  • It’s recommended to upgrade the module beyond 2.13.28.
  • Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality WILL NOT protect your SHOP against injection SQL which uses the UNION clause to steal data.
  • Change the default database prefix ps_ by a new longer arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
  • Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

Timeline

Date Action
2023-02-10 Vulnerability discovered during a code reviews by 202 ecommerce
2023-02-12 Contact the author
2023-02-12 Request a CVE ID from Mitre.org
2023-02-17 Re-try to contact the author
2023-03-16 Recieved the CVE ID
2023-03-20 Re-try to contact the author via social network and propose 30, 60 or 90 days of delay before discolse the vulnerability
2023-03-21 The author confirm the vulnerability and push a fix
2023-04-20 Publish this advisory and the CVE