Hey everyone! Today we're going to focus on an important security issue, CVE-2024-25843, which has been identified in the "Import/Update Bulk Product from any Csv/Excel File Pro" (ba_importer) PrestaShop Module from Buy Addons. I'll be covering the details of the vulnerability, as well as discussing possible exploitation methods and recommended mitigations. Let's get started!
Introduction
PrestaShop is an open-source eCommerce platform that's widely used by online businesses around the world. The PrestaShop add-on store offers countless modules that extend functionalities and features, streamlining user experiences. Unfortunately, the "Import/Update Bulk Product from any Csv/Excel File Pro" (ba_importer) module, designed to import and update product data in bulk from CSV and Excel files, contains a critical security vulnerability (CVE-2024-25843) that enables SQL Injection attacks. This vulnerability exists in versions up to and including 1.1.28.
Vulnerability Details
SQL Injection is a code injection technique in which an attacker inserts malicious SQL statements into an input field for execution. In the case of ba_importer, attackers can exploit this vulnerability by abusing the lack of proper input validation, allowing them to execute arbitrary SQL statements on the website's database and potentially gaining unauthorized access to sensitive data.
The vulnerability is particularly dangerous because it can be exploited by a guest (unauthenticated user), posing a massive security risk to the affected PrestaShop websites.
Here's a code snippet that demonstrates the vulnerable portion of the code
// ba_importer.php (vulnerable file)
public function showProducts() {
...
$sql = "
SELECT p.id_product, pl.name, p.reference, ean13, isbn, upc, price
FROM "._DB_PREFIX_."product p
JOIN "._DB_PREFIX_."product_lang pl ON (p.id_product = pl.id_product AND pl.id_lang = '".$this->context->language->id."')
{$sql_where['sqlbase']}
GROUP BY p.id_product
ORDER BY {$orderBy} {$sortOrder}
LIMIT {$start}, {$count}
";
...
}
In this code snippet, as we can see, the variables $orderBy, $sortOrder, $start, and $count are directly used in the SQL query without any validation or sanitization, enabling the mentioned SQL Injection attack.
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted HTTP GET request that includes malicious SQL code, like this:
GET /modules/ba_importer/ajax.php?
token=YOUR_MODULE_TOKEN&
action=showProducts&
sortOrder=ASC;[MALICIOUS_SQL_PAYLOAD];--
This request could allow the attacker to execute arbitrary SQL statements on the victim's database, such as accessing sensitive data, modifying data, or even taking control over the entire database.
Mitigation
To mitigate the risks associated with this vulnerability, it is recommended that users of the "Import/Update Bulk Product from any Csv/Excel File Pro" (ba_importer) PrestaShop module:
1. Update the module to the latest version (v1.1.29 or higher): Download the latest version from the PrestaShop Addons Marketplace
2. If updating is not possible, users should rigorously sanitize and validate inputs in the affected code mentioned earlier. Utilize prepared statements to avoid SQL Injection and ensure that unauthorized users can't access the module's functionality.
Do not delay in taking the necessary steps to protect your website! Stay safe, and stay secure.
Original References
- PrestaShop Addon Security Advisory
- CVE-2024-25843 - NVD - US National Vulnerability Database
- Buy Addons - Import/Update Bulk Product from any Csv/Excel File Pro (ba_importer)
Timeline
Published on: 02/27/2024 17:15:12 UTC
Last modified on: 02/28/2024 14:06:45 UTC