SQL injection vulnerability found in PrestaShop (release 1.6 and less) paypal module from release from 3.12.0 to 3.16.3 (3.16.4 fix the issue) allow a remote attacker to gain privileges.

Impact

• Technical and personal data leaks
• Obtain admin access
• Remove all data of the linked PrestaShop
• Display sensitives tables to front-office to unlock potential admin's ajax scripts of modules protected by token on the ecosystem

Patches

diff --git a/ipn.php b/ipn.php
index 45525e99..e7808233 100644
--- a/ipn.php
+++ b/ipn.php
@@ -255,5 +255,5 @@ public function getResult()
     }
 } elseif (Tools::isSubmit('custom') && (int)Configuration::get('PAYPAL_PAYMENT_METHOD') == HSS) {
     $custom = Tools::jsonDecode(Tools::getValue('custom'), true);
-    Db::getInstance()->insert('paypal_hss_email_error', array('id_cart' => $custom['id_cart'], 'email' => Tools::getValue('receiver_email')));
+    Db::getInstance()->insert('paypal_hss_email_error', array('id_cart' => (int) $custom['id_cart'], 'email' => pSQL(Tools::getValue('receiver_email', ''))));
 }

Associated commit

You can also install an adhoc module that verify and patch if necessary the vulnerability. Follow the knowledge base.

Other recommandations

• It's recommended to upgrade the module beyond 3.16.4.
• Upgrade PrestaShop beyond 1.7.8.8 (and 8.0.1) to disable multiquery executions (separated by ";").
• Change the default database prefix ps_ by a new longer arbitrary prefix. Nethertheless, be warned that this is useless against blackhat with DBA senior skill because of a design vulnerability in DBMS
• Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

References

PrestaShop addons product page