CVE-2023-39675
📋 TL;DR
This CVE describes a SQL injection vulnerability in the SimpleImportProduct Prestashop module that allows attackers to execute arbitrary SQL commands via the key parameter in send.php. Any Prestashop installation using the vulnerable module version is affected, potentially leading to complete database compromise.
💻 Affected Systems
- SimpleImportProduct Prestashop Module
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution via database functions.
Likely Case
Database information disclosure, data manipulation, and potential administrative access to the Prestashop backend.
If Mitigated
Limited impact if proper input validation and parameterized queries are implemented, though SQL injection attempts would still be logged.
🎯 Exploit Status
The vulnerability is well-documented with public proof-of-concept available. SQL injection via the key parameter is straightforward to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v6.3.0 or later
Vendor Advisory: https://blog.sorcery.ie/posts/simpleimportproduct_sqli/
Restart Required: No
Instructions:
1. Update SimpleImportProduct module to v6.3.0 or later. 2. Remove or disable the vulnerable send.php file if not needed. 3. Verify the fix by testing the key parameter with SQL injection payloads.
🔧 Temporary Workarounds
Disable vulnerable endpoint
linuxTemporarily disable or remove the send.php file to prevent exploitation
mv modules/simpleimportproduct/send.php modules/simpleimportproduct/send.php.disabled
Implement WAF rules
allAdd web application firewall rules to block SQL injection attempts on the key parameter
🧯 If You Can't Patch
- Implement strict input validation on the key parameter to only allow expected values
- Deploy a web application firewall with SQL injection detection rules
🔍 How to Verify
Check if Vulnerable:
Check if send.php exists in modules/simpleimportproduct/ directory and test with SQL injection payloads on the key parameterCheck Version:
grep -r 'version' modules/simpleimportproduct/ || cat modules/simpleimportproduct/README.mdVerify Fix Applied:
Test the key parameter with SQL injection payloads after patching to ensure they are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple requests to send.php with suspicious key parameters
- Error logs showing SQL syntax errors
Network Indicators:
- HTTP POST requests to /modules/simpleimportproduct/send.php with SQL keywords in parameters
- Unusual database connection patterns from web server
SIEM Query:
source="web_logs" AND uri="/modules/simpleimportproduct/send.php" AND (param="key" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "OR 1=1")