Skip to main content

SQLi in SimpleImportProduct Prestashop Module CVE-2023-39675

This blog post details an SQL Injection we found within SimpleImportProduct, a Prestashop module developed by MyPrestaModules. In modules/simpleimportproduct/send.php there is the following code:

  if ( Tools::getValue('remove') == true){  
    $key = Tools::getValue('key');  
    $key = pSQL($key);  
    Db::getInstance()->delete('simpleimport_tasks', "import_settings=$key");

This is vulnerable to SQL injection which allows an attacker to extract data from the database.
The key parameter does get sanitized by pSQL() but when it’s put in the query it’s not surrounded by quotes so an attacker can still manipulate the query. This is a similar situation to an SQLi I found in a different Prestashop module.

Adding quotes around the key would be sufficient to patch this SQLi:

Db::getInstance()->delete('simpleimport_tasks', "import_settings='$key'");

Proof of Concept

To test this we used SQLmap on a local Prestashop install. Care should be taken when testing for this as it is within a DELETE SQL query and can result in records getting deleted. SQLMap command:

sqlmap -u "http://localhost:8080/modules/simpleimportproduct/send.php?ajax=true&remove=true&key=1*" --threads=10 --random-agent --dbms=mysql --level=5 --risk=3 --tables  

It’s a “blind” SQLi as it doesnt affect the contents of the page so information is extracted using SLEEP() to change the time it takes to respond.


Date Action
10/07/2023 Issue discovered during a pentest
12/07/2023 Reported issue to MyPrestaModules
29/07/2023 Requested CVE from MITRE
??/08/2023 Patch released
28/08/2023 Number CVE-2023-39675 assigned
07/09/2023 Blog post released