CVE-2023-43986
📋 TL;DR
This CVE describes a SQL injection vulnerability in DM Concept configurator for PrestaShop. Attackers can exploit the ConfiguratorAttachment::getAttachmentByToken component to execute arbitrary SQL commands, potentially compromising the database. All users of DM Concept configurator before version 4.9.4 are affected.
💻 Affected Systems
- DM Concept configurator for PrestaShop
📦 What is this software?
Configurator by Dmconcept
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data manipulation, authentication bypass, or remote code execution via database functions.
Likely Case
Unauthorized data access, data exfiltration, and potential privilege escalation within the PrestaShop application.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing SQL injection.
🎯 Exploit Status
SQL injection vulnerabilities typically have low exploitation complexity, especially when unauthenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.9.4
Vendor Advisory: https://security.friendsofpresta.org/modules/2023/10/19/configurator.html
Restart Required: No
Instructions:
1. Log into PrestaShop admin panel. 2. Navigate to Modules > Module Manager. 3. Find DM Concept configurator. 4. Update to version 4.9.4 or later. 5. Clear PrestaShop cache if needed.
🔧 Temporary Workarounds
Disable vulnerable module
allTemporarily disable the DM Concept configurator module until patching is possible.
Navigate to PrestaShop admin > Modules > Module Manager > Disable DM Concept configurator
Web Application Firewall rules
allImplement WAF rules to block SQL injection patterns targeting the ConfiguratorAttachment endpoint.
Configure WAF to block SQL injection patterns in requests to */configurator* endpoints
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for all user inputs in custom code
- Deploy a web application firewall with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check the module version in PrestaShop admin panel under Modules > Module Manager > DM Concept configurator.Check Version:
Check PrestaShop admin panel: Modules > Module Manager > DM Concept configurator detailsVerify Fix Applied:
Confirm the module version is 4.9.4 or higher in the module manager.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts or unusual access patterns to configurator endpoints
- Error logs containing SQL syntax errors from the configurator module
Network Indicators:
- HTTP requests containing SQL keywords (SELECT, UNION, INSERT, etc.) targeting configurator endpoints
- Unusual outbound database connections from web server
SIEM Query:
web.url:*configurator* AND (web.query:*SELECT* OR web.query:*UNION* OR web.query:*INSERT* OR web.query:*DELETE*)🔗 References
- https://addons.prestashop.com/fr/declinaisons-personnalisation/20343-configurateur-avance-de-produit-sur-mesure-par-etape.html
- https://security.friendsofpresta.org/modules/2023/10/19/configurator.html
- https://addons.prestashop.com/fr/declinaisons-personnalisation/20343-configurateur-avance-de-produit-sur-mesure-par-etape.html
- https://security.friendsofpresta.org/modules/2023/10/19/configurator.html
