CVE-2022-44727 - SQL Injection in PrestaShop “EU Cookie Law GDPR” Module (Banner + Blocker) via Cookie – Explained

If you run an e-commerce site with PrestaShop, you probably care about GDPR compliance and use a cookie consent banner. Many turn to the “EU Cookie Law GDPR (Banner + Blocker)” module for this. But did you know that in versions before 2.1.3, this popular module had a critical security flaw—CVE-2022-44727?

Let’s break down what went wrong, why it’s dangerous, how attackers can exploit it, and how you can protect your site. We’ll look at code examples and offer practical mitigation tips.

What Happened?

The vulnerability existed in how the module handled user-supplied data, specifically cookie values called lgcookieslaw or __lglaw. These cookies are set on most PrestaShop sites that use this addon to track if users consented to cookies.

The module did not properly sanitize or validate the cookie’s contents before using it in an SQL query. This opened the door to SQL Injection (SQLi)—a way for attackers to inject malicious SQL code into database queries.

Reference & Report

- NVD CVE-2022-44727 entry
- Presta Module: EU Cookie Law GDPR + Blocker
- GitHub Advisory

A simplified version of the vulnerable code might look like this

// Simplified, for illustration only!
$cookieValue = $_COOKIE['lgcookieslaw']; // or __lglaw

// Used directly in an SQL query without sanitization!
$sql = "SELECT * FROM ps_eucookieslaw WHERE cookie_value = '$cookieValue'";
$result = $db->query($sql);

No sanitation (mysqli_real_escape_string or parameterization) is performed.

- If an attacker sets a specially crafted cookie value, their injected code becomes part of the database query!

Browser sends the cookie with every request.

Automated exploitation

- Attackers could exfiltrate (steal) personal customer data, admin logins, or even write data, depending on context.

Proof-of-Concept (PoC) with cURL

curl -b "lgcookieslaw=' OR 1=1; --" https://victim-shop.com/

Or using a browser’s developer tools, edit the cookies and reload the page.

Let’s go further—what if an attacker wanted to list usernames? They might try

' UNION SELECT 1,group_concat(email),3 FROM ps_employee; --

And see the result show all admin emails in one field (not always trivial, depends on how results are printed).

Upgrade immediately: The fix was published in version 2.1.3.

Update here

Technical Fix (Developer's View)

Bad:

$sql = "SELECT ... WHERE cookie_value = '$cookieValue'";

Good:

$stmt = $pdo->prepare("SELECT ... WHERE cookie_value = ?");
$stmt->execute([$cookieValue]);

Or, if using MySQLi

$stmt = $mysqli->prepare("SELECT ... WHERE cookie_value = ?");
$stmt->bind_param('s', $cookieValue);
$stmt->execute();

Summary

CVE-2022-44727 is a dangerous and trivial-to-exploit vulnerability in a widely used PrestaShop GDPR compliance module. By failing to sanitize cookie values, an attacker could extract or mess with your entire database—just by setting a cookie!

If you run EU Cookie Law GDPR (Banner + Blocker) on PrestaShop, update to version 2.1.3 or later right now.

References

- CVE-2022-44727 (NIST)
- GitHub Advisory GHSA-xq8j-5xmp-44mh
- PrestaShop “EU Cookie Law GDPR” module
- OWASP: SQL Injection

Stay secure, keep your modules up to date, and remember—never trust user-supplied data, no matter where it comes from, even cookies!

Timeline

Published on: 11/10/2022 17:15:00 UTC
Last modified on: 11/15/2022 19:13:00 UTC