Technical Analysis of EUVD-2023-49673 (CVE-2023-45381) – SQL Injection in Creative Popup (PrestaShop Module)

1. Vulnerability Assessment & Severity Evaluation

EUVD ID: EUVD-2023-49673 CVE ID: CVE-2023-45381 CVSS v3.1 Score: 9.8 (Critical) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity Breakdown:

• Attack Vector (AV:N): Network-based exploitation (remote attack).
• Attack Complexity (AC:L): Low – no special conditions required.
• Privileges Required (PR:N): None – unauthenticated (guest) access.
• User Interaction (UI:N): None – fully automated exploitation possible.
• Scope (S:U): Unchanged – impact confined to the vulnerable component.
• Confidentiality (C:H): High – full database access possible.
• Integrity (I:H): High – arbitrary data manipulation.
• Availability (A:H): High – potential for denial-of-service (DoS) via resource exhaustion.

Assessment: This is a critical-severity SQL injection (SQLi) vulnerability in the Creative Popup module for PrestaShop, allowing unauthenticated attackers to execute arbitrary SQL queries on the underlying database. The high CVSS score reflects the ease of exploitation, lack of authentication requirements, and severe impact on confidentiality, integrity, and availability.

---

2. Potential Attack Vectors & Exploitation Methods

Vulnerable Endpoint:

The flaw resides in the cp_download_popup() function, which is exposed to unauthenticated users. Attackers can manipulate input parameters to inject malicious SQL queries.

Exploitation Steps:

1. Reconnaissance:

   • Identify vulnerable PrestaShop instances using Creative Popup (≤1.6.9).
   • Enumerate exposed endpoints (e.g., via HTTP requests to /modules/creativepopup/).

2. SQL Injection Payload Delivery:

   • Craft a malicious HTTP request (e.g., GET or POST) targeting cp_download_popup() with manipulated parameters.
   • Example payload (simplified):

     GET /modules/creativepopup/cp_download_popup.php?id_popup=1' UNION SELECT 1,2,3,4,5,6,7,8,9,10,version(),database(),user(),14,15-- - HTTP/1.1
     

   • Successful exploitation may return database contents (e.g., usernames, passwords, customer data).

3. Post-Exploitation:

   • Data Exfiltration: Extract sensitive information (e.g., ps_customer, ps_employee tables).
   • Privilege Escalation: Modify database records to create admin accounts.
   • Remote Code Execution (RCE): If MySQL LOAD_FILE() or INTO OUTFILE is enabled, write malicious PHP files to achieve RCE.
   • Denial-of-Service (DoS): Execute resource-intensive queries (e.g., BENCHMARK()) to crash the database.

Automated Exploitation:

• Tools: SQLmap, Burp Suite, or custom scripts can automate exploitation.
• Example SQLmap Command:

  sqlmap -u "https://target.com/modules/creativepopup/cp_download_popup.php?id_popup=1" --batch --dump
  

---

3. Affected Systems & Software Versions

• Product: Creative Popup module (by WebshopWorks)
• Affected Versions: ≤ 1.6.9
• Platform: PrestaShop (all versions where the vulnerable module is installed)
• Vulnerable Function: cp_download_popup()
• Attack Surface: Publicly accessible PrestaShop stores with the module enabled.

Note: The vulnerability is not present in PrestaShop core but in a third-party module.

---

4. Recommended Mitigation Strategies

Immediate Actions:

1. Upgrade the Module:

   • Update to the latest patched version (if available) or remove the module if no fix exists.
   • Verify the vendor’s advisory: Friends of Presta Security Report.

2. Temporary Workarounds:

   • Disable the Module: Remove or disable Creative Popup until a patch is applied.
   • Web Application Firewall (WAF) Rules:
     • Deploy ModSecurity with OWASP Core Rule Set (CRS) to block SQLi attempts.
     • Example rule (simplified):

       SecRule ARGS "@detectSQLi" "id:1000,deny,status:403,msg:'SQL Injection Attempt'"
       

   • Input Sanitization: If patching is delayed, manually sanitize inputs in cp_download_popup.php (not recommended as a long-term fix).

3. Database Hardening:

   • Restrict database user permissions (avoid using root or superuser accounts).
   • Disable MySQL FILE privileges to prevent LOAD_FILE()/INTO OUTFILE attacks.

Long-Term Measures:

• Regular Vulnerability Scanning:
  • Use tools like Nessus, OpenVAS, or Burp Suite to detect SQLi vulnerabilities.
• PrestaShop Security Best Practices:
  • Keep PrestaShop core and all modules updated.
  • Monitor the PrestaShop Security Advisory for new vulnerabilities.
• Incident Response Planning:
  • Prepare for potential breaches (e.g., database backups, forensic readiness).

---

5. Impact on the European Cybersecurity Landscape

Regulatory & Compliance Risks:

• GDPR (General Data Protection Regulation):
  • Unauthorized database access may lead to personal data breaches, triggering Article 33 (Data Breach Notification) and potential fines (up to 4% of global revenue or €20M).
• NIS2 Directive (Network and Information Security):
  • Critical e-commerce operators must report significant cyber incidents, including SQLi attacks leading to data leaks.

Threat Landscape:

• Targeted Attacks:
  • PrestaShop is widely used in Europe (e.g., France, Germany, Spain), making it a prime target for cybercriminals and APT groups.
  • SQLi is a top attack vector in e-commerce, often leading to credit card theft (Magecart-style attacks) or ransomware deployment.
• Automated Exploitation:
  • Botnets (e.g., Mirai variants) may scan for vulnerable PrestaShop instances to deploy cryptominers or DDoS payloads.

Economic & Reputational Impact:

• Financial Losses: Data breaches can result in fraud, chargebacks, and legal liabilities.
• Brand Damage: Loss of customer trust may lead to reduced sales and market share.
• Supply Chain Risks: Compromised PrestaShop stores may serve as entry points for attacks on partner networks.

---

6. Technical Details for Security Professionals

Root Cause Analysis:

The vulnerability stems from improper input validation in cp_download_popup.php. The function likely constructs SQL queries using unsanitized user input (e.g., $_GET['id_popup']), allowing attackers to inject arbitrary SQL.

Example Vulnerable Code (Hypothetical):

$id_popup = $_GET['id_popup'];
$query = "SELECT * FROM " . _DB_PREFIX_ . "creative_popup WHERE id_popup = " . $id_popup;
$result = Db::getInstance()->executeS($query);

Issue: Direct concatenation of $id_popup without parameterized queries or escaping.

Exploitation Proof of Concept (PoC):

1. Basic SQLi Test:

   GET /modules/creativepopup/cp_download_popup.php?id_popup=1' HTTP/1.1
   

   • If vulnerable, this may trigger a MySQL error (e.g., You have an error in your SQL syntax).

2. Data Exfiltration:

   GET /modules/creativepopup/cp_download_popup.php?id_popup=1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,username,password,email FROM ps_employee-- - HTTP/1.1
   

   • If successful, this may return admin credentials in the response.

3. Blind SQLi (Time-Based):

   GET /modules/creativepopup/cp_download_popup.php?id_popup=1 AND IF(1=1,SLEEP(5),0)-- - HTTP/1.1
   

   • A 5-second delay confirms blind SQLi.

Forensic Indicators:

• Logs to Check:
  • Web server logs (access.log, error.log) for suspicious GET/POST requests to /modules/creativepopup/.
  • MySQL query logs for unusual UNION SELECT or INFORMATION_SCHEMA queries.
• Database Artifacts:
  • Unexpected entries in ps_customer or ps_employee tables.
  • Unauthorized database users or schema modifications.

Detection & Hunting:

• SIEM Rules (e.g., Splunk, ELK):

  index=web_logs uri_path="/modules/creativepopup/cp_download_popup.php" | regex _raw=".*(UNION|SELECT|INSERT|DELETE|DROP|--|;).*"
  

• YARA Rule (for Malicious Payloads):

  rule PrestaShop_SQLi_CVE_2023_45381 {
      strings:
          $sqli = /(UNION\s+SELECT|1=1|--\s|;\s*DROP|INTO\s+OUTFILE)/ nocase
      condition:
          $sqli
  }
  

---

Conclusion & Recommendations

EUVD-2023-49673 (CVE-2023-45381) is a critical SQL injection vulnerability in the Creative Popup module for PrestaShop, posing severe risks to confidentiality, integrity, and availability. Given its CVSS 9.8 score and unauthenticated attack vector, immediate action is required:

1. Patch or Remove the vulnerable module.
2. Deploy WAF rules to block SQLi attempts.
3. Monitor logs for exploitation attempts.
4. Conduct a forensic review if compromise is suspected.
5. Ensure GDPR/NIS2 compliance in incident response.

European organizations using PrestaShop must prioritize this vulnerability due to its high exploitability and regulatory implications. Proactive mitigation is essential to prevent data breaches, financial fraud, and reputational damage.

For further details, refer to:

• Friends of Presta Security Advisory
• CVE-2023-45381 (MITRE)