Prestashop - SQL injection in Presta2PhpList module



2011-10-19

Risk High
Impact SQL injection
Affected Software Presta2PhpList
Locally exploitable Yes
Remotely exploitable Yes
Viewed 402 times

Technical description

Dotsafe has found a vulnerability in Presta2PhpList module which could be used by malicious people to retrieve and modify database content.

The parameter "list" is not properly escaped before being inserted in SQL query.

The vulnerability is confirmed in version 1.5. Prior versions may also be affected.

Details

./presta2phplist.php:1043
	function hookRightColumn($params)
	{
		return $this->hookLeftColumn($params);
	}
./presta2phplist.php:1048 
 	function hookLeftColumn($params)
 	{
		[...]

		if (Tools::isSubmit('submitNewsletter'))
		{
			$this->newsletterRegistration();
./presta2phplist.php:949 
	private function newsletterRegistration()
 	{
	 	if (!Validate::isEmail(pSQL($_POST['email'])))
			return $this->error = $this->l('Invalid e-mail address');
	 	/* Unsubscription */
	 	elseif ($_POST['action'] == '1')
	 	{
 		 	[...]
		}
	 	/* Subscription */
	 	elseif ($_POST['action'] == '0')
	 	{
	 	 	[...]
         	Db::getInstance()->Execute('INSERT INTO phplist_listuser VALUES ("'.$userId.'","'.$_POST['list'].'",now(),now())');


Solution

Edit presta2phplist.php

          if ($result) {
             $userId = mysql_result($result, 0);
             }
-		    		Db::getInstance()->Execute('INSERT INTO phplist_listuser VALUES ("'.$userId.'","'.$_POST['list'].'",now(),now())');
+		    		Db::getInstance()->Execute('INSERT INTO phplist_listuser VALUES ("'.$userId.'","'.intval($_POST['list']).'",now(),now())');
 		      	return $this->valid = $this->l('Subscription successful');
 			}



Need help ?

DOTSAFE is able to check and patch your system.

Please contact us .

Anteater Project

Vulnerability discovered by the AntEater project

Learn more about Anteater project.

Protéger votre site avec DOTSAFE Protector

Protéger votre site internet avec DOTSAFE Protector

On vous rappelle ?

Indiquez votre numéro de téléphone

ainsi que la tranche horaire où vous êtes disponible. Nous vous appellerons dans les plus brefs délais

 

Actualités

  • 30-07-2010 Sécurité de Typo3 & entropie de rand()
  • 28-07-2010 Décompilation d'application flash
  • 06-04-2010 Les 9 objections à la sécurité des sites internet - Développement externalisé
Toutes les actualités >