CVE-2023-27843
📋 TL;DR
This CVE describes a SQL injection vulnerability in the PrestaShop 'Ask for a Quote' module versions 5.4.2 and earlier. It allows remote attackers to execute arbitrary SQL commands via the QuotesProduct::deleteProduct component, potentially leading to privilege escalation. Any PrestaShop installation using the vulnerable module is affected.
💻 Affected Systems
- PrestaShop Ask for a Quote module
📦 What is this software?
Ask For A Quote by Ask For A Quote Project
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the PrestaShop database, including theft of customer data, administrative account takeover, and potential server compromise through database server exploitation.
Likely Case
Unauthorized data access, privilege escalation to administrative accounts, and potential data manipulation or deletion.
If Mitigated
Limited impact with proper input validation and database permissions, potentially only error messages or failed queries.
🎯 Exploit Status
Exploitation requires some level of access to the module's functionality, but SQL injection techniques are well-documented and easy to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.4.3 or later
Vendor Advisory: https://friends-of-presta.github.io/security-advisories/modules/2023/04/25/askforaquote.html
Restart Required: No
Instructions:
1. Update the Ask for a Quote module to version 5.4.3 or later via PrestaShop Addons marketplace or manual installation. 2. Verify the update was successful by checking the module version in the PrestaShop back office.
🔧 Temporary Workarounds
Disable vulnerable module
allTemporarily disable the Ask for a Quote module until patching is possible
Navigate to PrestaShop back office > Modules > Module Manager > Find 'Ask for a Quote' > Click Disable
Implement WAF rules
allAdd SQL injection detection rules to web application firewall
Add rules to detect SQL injection patterns in QuotesProduct::deleteProduct requests
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for all module database interactions
- Apply principle of least privilege to database user accounts used by the module
🔍 How to Verify
Check if Vulnerable:
Check the module version in PrestaShop back office: Modules > Module Manager > Find 'Ask for a Quote' and check version numberCheck Version:
SELECT version FROM ps_module WHERE name = 'askforaquote';Verify Fix Applied:
Verify module version is 5.4.3 or higher and test delete product functionality with SQL injection test payloads📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed authentication attempts following SQL errors
- Unexpected database schema changes
Network Indicators:
- HTTP POST requests to QuotesProduct::deleteProduct with SQL syntax in parameters
- Unusual database connection patterns from web server
SIEM Query:
source="web_server_logs" AND (uri="*QuotesProduct*" AND (param="*DELETE*" OR param="*SELECT*" OR param="*UNION*"))🔗 References
- https://addons.prestashop.com/en/quotes/3725-ask-for-a-quote-convert-to-order-messaging-system.html
- https://friends-of-presta.github.io/security-advisories/modules/2023/04/25/askforaquote.html
- https://addons.prestashop.com/en/quotes/3725-ask-for-a-quote-convert-to-order-messaging-system.html
- https://friends-of-presta.github.io/security-advisories/modules/2023/04/25/askforaquote.html
