PrestaShop Advanced Popup Creator Module SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Advanced Popup Creator module for PrestaShop. This issue affects versions 1.1.26 through 1.2.6 and has been fixed in version 1.2.7. The vulnerability allows remote unauthenticated attackers to execute arbitrary SQL queries by exploiting the fromController parameter in the popup controller. The parameter is passed without proper sanitization to SQL queries in the AdvancedPopup class, specifically in the getPopups() and updateVisits() functions.

Impact

Exploitation of this vulnerability allows remote unauthenticated attackers to execute arbitrary SQL queries with the privileges of the underlying database user. This could lead to extraction of sensitive database information, such as administrator credentials and password reset tokens, discovery of back-office URLs, and full compromise of the PrestaShop administration panel. Additionally, such exploitation could cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'module/advancedpopupcreator/popup' endpoint with the 'fromController' parameter. The absence of sanitization allows for the injection of SQL payloads. For example, injecting a SQL payload that causes a time-based delay can confirm successful exploitation.

Remediation

Users are advised to upgrade to version 1.2.7 or later. If the module is not strictly required, it should be uninstalled and deleted. Additionally, change the default database prefix to a longer, random, and non-guessable prefix, monitor third-party module vulnerabilities, enforce strong Back Office authentication controls, restrict and rotate the Back Office URL, keep PrestaShop core and all modules up to date, and deploy perimeter protection.