EuroInformation MoneticoPaiement Module SQL Injection Vulnerability for PrestaShop

A critical SQL injection vulnerability has been identified in the EuroInformation MoneticoPaiement module for PrestaShop, affecting versions prior to 1.1.1. The vulnerability allows remote attackers to execute arbitrary SQL commands by manipulating the TPE, societe, MAC, reference, or aliascb parameters in transaction.php, validation.php, or callback.php. This exploitation can be done through simple HTTP requests, taking advantage of the module's integration with PrestaShop's FrontController, which obscures the true source of the request in the logs.

Impact

Successful exploitation of this vulnerability could lead to unauthorized SQL command execution, potentially allowing attackers to manipulate the database, access sensitive information, or disrupt normal operations. According to the advisory, this vulnerability could be exploited to gain admin access, delete data from PrestaShop, extract sensitive information such as tokens to access admin ajax scripts, or alter SMTP settings to intercept emails.

Remediation

Users are advised to upgrade the MoneticoPaiement module to version 1.1.1 or later. If the module is not in use, it is recommended to delete it. To enhance the security of the PrestaShop installation, consider changing the default database prefix and activating specific rules on the web application firewall.