CVE-2023-44025

Vulnerability

The SQL injection vulnerability exists in the AddifyfreegiftsModel::getrulebyid() function in the addifyfreegifts module for PrestaShop, version 1.0.2 and earlier [1]. The method makes sensitive SQL calls that can be triggered via a trivial HTTP request to a front controller, allowing an attacker to inject arbitrary SQL [1]. The vulnerability is classified as CWE-89 Improper Neutralization of SQL Parameters [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the module's front controller [1]. The exploit requires low privileges (guest user) and no user interaction, and can be performed over the network with low complexity [1]. Attackers can conceal the module controller's path during the exploit, so conventional frontend logs only show POST / entries [1]. Activation of mod_security audit engine is needed to detect the exploit [1].

Impact

Successful exploitation allows an attacker to perform SQL injection, potentially gaining admin access, deleting data, copying sensitive data from database tables (e.g., tokens that unlock admin Ajax scripts), and rewriting SMTP settings to hijack emails [1]. The CVSS score is 8.8 (high) with confidentiality, integrity, and availability all rated high [1].

Mitigation

The fix is available in version 1.2.0 of the module, released after the vulnerability disclosure [1]. The patch casts the $id_rule variable to integer in the addtocart.php controller and modifies the getrulebyid function to use proper SQL parameterization [1]. Since the fix is included in version 1.2.0, users should upgrade from version 1.0.2 or earlier [1]. No workaround is mentioned in the references.