friends-of-presta.github.io Open in urlscan Pro
2606:50c0:8003::153  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Friends-Of-Presta Security Advisories
About


[CVE-2023-31672] IMPROPER NEUTRALIZATION OF AN SQL PARAMETER IN AILINEAR MODULE
FOR PRESTASHOP

Jun 15, 2023 • #modules • critical (9.8) • 202-ecommerce.com, TouchWeb.fr,
Friends-Of-Presta.org

In the module “Length, weight or volume sell” (ailinear) for PrestaShop, an
attacker can perform SQL injection up to 2.4.3. Release 2.4.3 fixed this
security issue.


SUMMARY

 * CVE ID: CVE-2023-31672
 * Published at: 2023-06-15
 * Advisory source: Friends-Of-Presta.org
 * Platform: PrestaShop
 * Product: ailinear
 * Impacted release: < 2.4.3 (2.4.3 fixed the vulnerability)
 * Product author: ai-dev
 * Weakness: CWE-89
 * Severity: critical (9.8)


DESCRIPTION

Up to 2.4.3, a sensitive SQL call in file includes/ajax.php can be executed with
a trivial http call and exploited to forge a blind SQL injection throught the
POST or GET submitted others and more variables.


CVSS BASE METRICS

 * Attack vector: network
 * Attack complexity: low
 * Privilege required: low
 * User interaction: none
 * Scope: unchanged
 * Confidentiality: high
 * Integrity: high
 * Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


POSSIBLE MALICIOUS USAGE

 * Obtain admin access
 * Remove data on the associated PrestaShop
 * Copy/paste data from sensitive tables to FRONT to exposed tokens and unlock
   admins’s ajax scripts
 * Rewrite SMTP settings to hijacked emails


PATCH

--- a/ailinear/includes/ajax.php
+++ b/ailinear/includes/ajax.php
@@ -346,17 +346,23 @@ if (Tools::getIsset('action')) {
     $request_value = Tools::getIsset('value') ? Tools::getValue('value') : 0;
     $request_product = (int)Tools::getValue('product');
     $request_more = Tools::getValue('more');
-    $request_others = Tools::getValue('others');
+    $request_others = (int)Tools::getValue('others');
     $request_quantity = (int)Tools::getValue('qty');
 
     /* Test if base combination exists */
     if ($request_more != '') {
-        $more = explode('_', $request_more);
+        $more_attributes = explode('_', $request_more);
+        $more_attributes = array_map('intval', $more_attributes);
+        foreach ($more_attributes as $key => $attr) {
+            if (!$attr) {
+                unset($more_attributes[$key]);
+            }
+        }
         
         /* Get the id_product_attribute (the first is the default one)*/
         $result = DB::getInstance()->ExecuteS(
             'SELECT COUNT(id_product_attribute) as number, id_product_attribute FROM '._DB_PREFIX_.'product_attribute_combination WHERE id_product_attribute IN (SELECT id_product_attribute FROM '._DB_PREFIX_.'product_attribute WHERE '.
-            'id_product = '.$request_product.') AND id_attribute IN ('.implode(', ', $more).') GROUP BY id_product_attribute HAVING number = '.count($more).' ORDER BY id_product_attribute ASC'
+            'id_product = '.$request_product.') AND id_attribute IN ('.implode(', ', $more_attributes).') GROUP BY id_product_attribute HAVING number = '.count($more_attributes).' ORDER BY id_product_attribute ASC'
         );
         
         /* Get the attributes values and lang for the product */
@@ -364,6 +370,8 @@ if (Tools::getIsset('action')) {
             die('Unknown');
         }
     } else {
+        $more_attributes = array();
+        
         /* Get the id_product_attribute (the first is the default one)*/
         $result = DB::getInstance()->ExecuteS('SELECT COUNT(id_product_attribute) as number, id_product_attribute FROM '._DB_PREFIX_.'product_attribute WHERE id_product = '.$request_product.' ORDER BY id_product_attribute ASC');
     }
@@ -373,13 +381,6 @@ if (Tools::getIsset('action')) {
         $return = 'Message->'.$module->l('Message for delayed preparation', 'ajax').'|';
     }
 
-    /* Get attributes */
-    if ($request_more != '') {
-        $more_attributes = explode('_', $request_more);
-    } else {
-        $more_attributes = array();
-    }
-
     /* Get price changes */
     $more_attributes_price = 0;
     if (count($more_attributes)) {



OTHER RECOMMENDATIONS

 * Upgrade PrestaShop to the latest version to disable multiquery execution
   (separated by “;”)
 * Change the default database prefix ps_ by a new longer arbitrary prefix.
   Nevertheless, be warned that this is useless against blackhats with DBA
   senior skilled because of a design vulnerability in DBMS
 * Activate OWASP 942’s rules on your WAF (Web application firewall), be warned
   that you will probably break your backoffice and you will need to
   pre-configure some bypasses against these set of rules.


TIMELINE

Date Action 2023-03-08 Vunlnerability found during a audit by 202 ecommerce
2023-03-08 Contact the author 2023-03-08 The author confirm the issue and supply
a fixed release 2023-04-23 Request a CVE ID 2023-06-15 Publication of this
advisory


LINKS

 * Author product page
 * National Vulnerability Database

Subscribe

 * Friends Of Presta

Friends Of Presta is a none profit organization that supports the open-source
ecommerce platform PrestaShop.