CVE-2024-28388
📋 TL;DR
This SQL injection vulnerability in the SunnyToo stproductcomments module for PrestaShop allows remote attackers to execute arbitrary SQL commands. Attackers can escalate privileges, access sensitive data, or take control of the database. All PrestaShop installations using stproductcomments v1.0.5 or earlier are affected.
💻 Affected Systems
- SunnyToo stproductcomments module for PrestaShop
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, privilege escalation to admin, and potential remote code execution via database functions.
Likely Case
Unauthorized access to sensitive customer data (emails, addresses, orders), privilege escalation to modify shop content or settings.
If Mitigated
Limited impact with proper input validation and database user privilege restrictions.
🎯 Exploit Status
SQL injection via StProductCommentClass::getListcomments method requires minimal technical skill to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.0.6 or later
Vendor Advisory: https://security.friendsofpresta.org/modules/2024/03/12/stproductcomments.html
Restart Required: No
Instructions:
1. Download latest version from PrestaShop Addons marketplace. 2. Replace existing stproductcomments module files. 3. Clear PrestaShop cache. 4. Test module functionality.
🔧 Temporary Workarounds
Disable stproductcomments module
allTemporarily disable the vulnerable module until patching is possible.
Navigate to PrestaShop admin > Modules > Module Manager > Find 'stproductcomments' > Disable
WAF rule for SQL injection
allImplement web application firewall rules to block SQL injection attempts.
Add WAF rule to detect SQL keywords in POST/GET parameters for stproductcomments endpoints
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries in custom code
- Restrict database user permissions to minimum required for module functionality
🔍 How to Verify
Check if Vulnerable:
Check module version in PrestaShop admin panel under Modules > Module Manager > stproductcomments.Check Version:
Check modules/stproductcomments/stproductcomments.php for version number in header commentsVerify Fix Applied:
Confirm module version is v1.0.6 or later and test comment functionality works without errors.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in PrestaShop logs
- Multiple failed login attempts from single IP after comment submission
- Unexpected database queries containing UNION, SELECT, INSERT
Network Indicators:
- HTTP requests to stproductcomments endpoints with SQL keywords in parameters
- Unusual outbound database connections from web server
SIEM Query:
source="prestashop.log" AND ("SQL" OR "database error") AND "stproductcomments"