Blind SQL Injection vulnerability in PrestaShow Google Integrator (pshowconversion) allows for data extraction and modification. This attack is possible via command insertion in one of the cookies.

Summary

  • CVE ID: CVE-2023-6921
  • Published at: 2024-01-09
  • Advisory source: Piotr Zdunek
  • Platform: PrestaShop
  • Product: pshowconversion
  • Impacted release: <2.1.4
  • Product author: Presta Show
  • Weakness: CWE-89
  • Severity: critical (9.8)

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: none
  • User interaction: none
  • Scope: unchanged
  • Confidentiality: high
  • Integrity: high
  • Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The module versions below v2.1.4 released before 2023-03-09 are susceptible to the problem described in the report. All subsequent versions of the Google Integrator module have been properly secured - they are secure and have no vulnerabilities.

See also author notice

Possible malicious usage

  • Obtain admin access
  • Remove data from the associated PrestaShop
  • Copy/paste data from sensitive tables to FRONT to expose tokens and unlock admins’s ajax scripts
  • Rewrite SMTP settings to hijack emails

Other recommendations

  • It’s recommended to upgrade to the latest version of the module pshowconversion.
  • Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”) - be warned that this functionality WILL NOT protect your SHOP against injection SQL which uses the UNION clause to steal data.
  • Change the default database prefix ps_ with a new longer, arbitrary prefix. Nevertheless, be warned that this is useless against blackhats with DBA senior skill because of a design vulnerability in DBMS
  • Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

Date Action
2024-01-09 Publish this security advisory