[CVE-2023-47309] Improper Neutralization of Input During Web Page Generation in Nukium - NKM GLS module for PrestaShop

In the module “NKM GLS” (nkmgls) up to version 3.0.1 from Nukium for PrestaShop, a guest (authenticated customer) can perform XSS injection of type 2 (stored XSS) from FRONT to BACK (F2B) of Category 2 within the funnel order in affected versions.

Note : To succeed in this exploit, the red team needs to pay to convert a cart into a valid order with GLS carrier and require the administrator of the PS to check a specific screen within its backoffice.

Summary

• CVE ID: CVE-2023-47309
• Published at: 2023-11-14
• Platform: PrestaShop
• Product: nkmgls
• Impacted release: <= 3.0.1 (3.0.2 fixed the vulnerability)
• Product author: Nukium
• Weakness: CWE-79
• Severity: critical (9.0)

Description

As all XSS type 2 (Stored XSS) F2B (Front to Back), there are two steps and a prerequisite.

Prerequisite :

• The field phone_mobile within table gls_cart_carrier suffers from a type varchar(255) which is large enough to allow dangerous XSS payloads.

Steps :

• The method NkmGlsCheckoutModuleFrontController::displayAjaxSavePhoneMobile does not properly clean the parameter gls_customer_mobile. pSQL is useless against XSS which exploits HTML tag attributes (Category 2 according to OWASP - pSQL only neutralized Category 1 thanks to its strip_tags).
• The output in the backoffice is not escaped in the related smarty template that uses it.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: low
• User interaction: required
• Scope: changed
• Confidentiality: high
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Possible malicious usage

• Unlock design critical vulnerabilities, see this.

Patch from 3.0.2

--- a/controllers/front/checkout.php
+++ b/controllers/front/checkout.php
@@ -47,2 +47,7 @@ class NkmGlsCheckoutModuleFrontController extends ModuleFrontController
         $phone_mobile = Tools::getValue('gls_customer_mobile');
+        if (!Validate::isPhoneNumber($phone_mobile)) {
+            $return['message'] = 'Please fill-in a valid mobile number (e.g. +XXXXXXXXXXX or 0XXXXXXXXX).';
+            header('Content-Type: application/json');
+            $this->ajaxDie(json_encode($return));
+        }
         $id_carrier = Tools::getValue('id_carrier');

--- a/views/templates/admin/gls_label/label_list.tpl
+++ b/views/templates/admin/gls_label/label_list.tpl
@@ -209,3 +209,3 @@
                                                     <div>
-                                                        <input class="form-control" type="tel" name="mobile" value="{if !empty($tr.customer_phone_mobile)}{$tr.customer_phone_mobile}{else}{$tr.customer_phone}{/if}" required="required" />
+                                                        <input class="form-control" type="tel" name="mobile" value="{if !empty($tr.customer_phone_mobile)}{$tr.customer_phone_mobile|escape:'html':'UTF-8'}{else}{$tr.customer_phone|escape:'html':'UTF-8'}{/if}" required="required" />
                                                     </div>

Other recommendations

• It’s recommended to upgrade to the latest version of the module nkmgls.
• Systematically escape characters ‘ “ < and > by replacing them with HTML entities and applying strip_tags - Smarty and Twig provide auto-escape filters :
  • Smarty: {$value.comment|escape:'html':'UTF-8'}
  • Twig:{{value.comment|e}}
• Limit to the strict minimum the length’s value in database - a database field that allow 10 characters (varchar(10)) is far less dangerous than a field that allows 40+ characters (use cases that can exploit fragmented XSS payloads are very rare)
• Configure CSP headers (content security policies) by listing external domains allowed to load assets (such as js files) or being called in XHR transactions (Ajax).
• If applicable: check against all your frontoffice’s uploaders, uploading files that will be served by your server that mime type application/javascript (like every .js natively) must be strictly forbidden as it must be considered as dangerous as PHP files.
• Activate OWASP 941’s rules on your WAF (Web application firewall) - be warned that you will probably break your frontoffice/backoffice and you will need to preconfigure some bypasses against this set of rules.

Timeline

Date	Action
2023-02-24	Issue discovered during a code review by TouchWeb.fr
2023-02-24	Contact the author who will provide a patch within 4 hours
2023-02-24	V3.0.2 available on https://store.nukium.com/ and https://addons.prestashop.com/
2023-03-10	Recontact author about the publication of the vulnerability
2023-03-12	Author completes the diff of this present CVE and asks for a delay to publish
2023-05-05	Recontact author about the publication of the vulnerability
2023-05-17	Author ask for another delay before publication
2023-07-15	Recontact author about the publication of the vulnerability
2023-09-17	Recontact author about the publication of the vulnerability
2023-09-30	Recontact author about the publication of the vulnerability
2023-10-30	Inform the author about the publication of the vulnerability
2023-10-30	Request a CVE ID
2023-11-08	Received CVE ID
2023-11-14	Publish this security advisory

Links

• Author product page
• PrestaShop addons product page
• National Vulnerability Database