CVE-2023-46914
📋 TL;DR
A critical SQL injection vulnerability in the RM bookingcalendar module for PrestaShop allows remote attackers to execute arbitrary SQL commands via the ics_export.php file. This can lead to complete system compromise, data theft, and privilege escalation. All PrestaShop installations using affected versions of this module are vulnerable.
💻 Affected Systems
- PrestaShop RM bookingcalendar module
📦 What is this software?
Bookingcalendar by Bookingcalendar Project
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise: attackers can execute arbitrary code, steal all database data (including customer information and credentials), escalate privileges to administrative access, and potentially pivot to other systems.
Likely Case
Database compromise leading to sensitive data exfiltration (customer data, payment information, credentials) and potential website defacement or disruption.
If Mitigated
Limited impact with proper network segmentation, database user privilege restrictions, and input validation at application layer.
🎯 Exploit Status
SQL injection via ics_export.php requires no authentication. Public exploit details available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.8.0 or later
Vendor Advisory: https://security.friendsofpresta.org/modules/2024/02/06/bookingcalendar.html
Restart Required: No
Instructions:
1. Update the RM bookingcalendar module to version 2.8.0 or later via PrestaShop module manager. 2. Verify the update completed successfully. 3. Clear PrestaShop cache if issues occur.
🔧 Temporary Workarounds
Disable or remove vulnerable module
allTemporarily disable or uninstall the RM bookingcalendar module until patched
Navigate to PrestaShop admin > Modules > Module Manager > Find 'bookingcalendar' > Disable/Uninstall
Block access to vulnerable file
linuxUse web server configuration to block access to ics_export.php
For Apache: add 'Deny from all' to .htaccess for ics_export.php
For Nginx: add 'location ~ ics_export\.php { deny all; }' to site config
🧯 If You Can't Patch
- Implement strict WAF rules to block SQL injection patterns targeting the vulnerable endpoint
- Restrict database user permissions to minimum required (SELECT only if possible) for the module's database user
🔍 How to Verify
Check if Vulnerable:
Check PrestaShop admin panel > Modules > Module Manager > bookingcalendar version. If version is 2.7.9 or earlier, you are vulnerable.Check Version:
Check via PrestaShop admin interface or examine /modules/bookingcalendar/bookingcalendar.php file version headerVerify Fix Applied:
Verify bookingcalendar module version is 2.8.0 or later in module manager. Test ics_export.php functionality with SQL injection test payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs from web server IP
- Multiple requests to /modules/bookingcalendar/ics_export.php with SQL syntax in parameters
- Database error messages containing SQL syntax in web server logs
Network Indicators:
- HTTP requests to ics_export.php with SQL keywords (UNION, SELECT, INSERT) in parameters
- Unusual database connection patterns from web application server
SIEM Query:
source="web_server_logs" AND uri="/modules/bookingcalendar/ics_export.php" AND (param="*UNION*" OR param="*SELECT*" OR param="*INSERT*")