CoreShop Blind SQL Injection Vulnerability in Admin Reports

A blind SQL injection vulnerability has been identified in CoreShop versions prior to 4.1.8. This vulnerability allows authenticated administrator-level users to extract database information using boolean-based or time-based techniques. The issue arises from unsanitized user input being directly concatenated into SQL queries, enabling manipulation of the query logic. Although the application's database user has read-only access, this vulnerability could lead to unauthorized disclosure of confidential data. The flaw has been patched in CoreShop version 4.1.8.

Impact

Exploitation of this vulnerability allows for boolean-based and time-based blind SQL injection, with the potential to enumerate database schema and extract data accessible to the application's database user.

Reproduction

The vulnerability can be reproduced by sending a request to the admin report endpoint with a valid store parameter. After confirming that data is returned, the store parameter can be modified to inject boolean conditions, such as 'store=1 AND 1=1', to manipulate the SQL query. This injection can be automated using tools like sqlmap, which successfully exploits the vulnerability and extracts database information.

Remediation

To address this vulnerability, user input should be properly sanitized and validated before being used in SQL queries. The store parameter can be handled as a numeric value to prevent injection. Additionally, using prepared statements with parameter binding, in line with best practices, can effectively eliminate the risk of SQL injection.