CVE-2023-30839: Critical SQL Injection Vulnerability in PrestaShop Unpatched Versions

PrestaShop, a widely-used Open Source e-commerce web application, is exposed to a major security vulnerability discovered in versions prior to 8..4 and 1.7.8.9. This vulnerability, assigned with the identifier CVE-2023-30839, allows attackers to execute SQL injection attacks, bypassing certain access controls, and potentially compromising sensitive data. A patch is now available, so users are urged to update their PrestaShop installations immediately to avoid any security breaches. In this long read, we'll discuss the details of CVE-2023-30839, including the affected versions, exploit details, and relevant code snippets. We'll also provide links to the original references, so you can explore further.

Affected Versions

The vulnerable PrestaShop versions mentioned above include all those prior to 8..4 and 1.7.8.9. If you're running an older version, it's crucial to update your installation to ensure you're protected against this vulnerability.

Vulnerability Details

CVE-2023-30839 pertains to an SQL injection vulnerability in PrestaShop, which enables a malicious Back Office (BO) user to perform various actions on the database without having the necessary permissions. This means they could write, update, or delete data in the database—activities that should be restricted to users with specific rights. There are currently no known workarounds for this vulnerability other than applying the available patch.

Code Snippet

A simplified example of the vulnerable code section that leads to the SQL injection vulnerability in PrestaShop's core framework can be seen below:

// Vulnerable code example (simplified version)
public function someFunction($input) {
  $sql = "SELECT * FROM tbl WHERE id = " . $input;
  $results = $db->query($sql);
  return $results;
}

In this code snippet, a user input is passed directly into an SQL query string without any validation or filtering. This creates an exploitable vector for an attacker to inject their own SQL command.

Exploit Details

Attackers exploiting this vulnerability might use a technique called SQL injection. This involves injecting a carefully crafted SQL query into a user input field. In the context of CVE-2023-30839, the attacker's goal is to alter the SQL query to perform unauthorized actions on the database.

An attacker might craft an input similar to the example below

$input = "1; DROP TABLE tbl;";

By inputting this payload, an unsuspecting PrestaShop application would execute the following SQL query:

SELECT * FROM tbl WHERE id = 1; DROP TABLE tbl;

As a result, the attacker could delete a table without needing the proper permissions.

References and Patch Information

To patch this vulnerability, update your PrestaShop installation to secure versions 8..4 or 1.7.8.9, depending on your version branch. You can find the available patches for your respective version in the following download links:

- PrestaShop 8..4: https://www.prestashop.com/download
- PrestaShop 1.7.8.9: https://www.prestashop.com/prestashop/cloud

More information about CVE-2023-30839 can be found in the official Security Advisory issued by PrestaShop:

- PrestaShop Security Advisory: https://www.prestashop.com/en/blog/security-update-release-prestashop-1-7-8-9

In conclusion, CVE-2023-30839 is a critical SQL injection vulnerability that exposes PrestaShop installations to potential data breaches and unauthorized, malicious activities. Users are advised to update their PrestaShop installations to the latest, patched versions to prevent security risks.

Timeline

Published on: 04/25/2023 19:15:00 UTC
Last modified on: 05/04/2023 17:32:00 UTC