CVE-2022-46965

An authenticated attacker sends a crafted HTTP GET request to `/modules/totadministrativemandate/pdftot.php` with a malicious `id_order` parameter. The parameter value is not sanitized before being inserted into a SQL query, allowing the attacker to inject arbitrary SQL commands. The proof of concept shows appending `'%3BSELECT%20SLEEP%2825%29%23` (URL-encoded `';SELECT SLEEP(25)#`) to the `id_order` parameter to trigger a time-based blind SQL injection [ref_id=1].

The vulnerable code is in `pdfmandate15.php` and `pdfmandate16.php` within the `PDFMandate::mandatePDF()` method (or `pdftot::MandatePDF()` in versions before 1.5). The `Tools::getValue('id_order')` input is concatenated directly into a SQL query without sanitization [ref_id=1].

The patch wraps the `$reference` variable with `pSQL()` (PrestaShop's built-in SQL escaping function) before interpolating it into the query string. This neutralizes special SQL characters, preventing injection. The same fix is applied in both `pdfmandate15.php` and `pdfmandate16.php` [ref_id=1]. The advisory also recommends upgrading the module beyond version 1.7.2 and upgrading PrestaShop to 1.7.8.8 to disable multi-query execution [ref_id=1].

curl -v --cookie-jar cookie.txt 'https://domain.tld/authentification?submitLogin=1&email=XXXX&password=YYY' && curl -v --cookie cookie.txt 'https://domain.tld/modules/totadministrativemandate/pdftot.php?id_order=1%27%3BSELECT%20SLEEP%2825%29%23' [ref_id=1]