Unauthenticated Blind SQL Injection Vulnerability In PEEL Shopping (CVE-2021-37593)
NetbyteSEC Security Advisory - Unauthenticated Blind SQL Injection vulnerability In PEEL Shopping
Title: Unauthenticated Blind SQL Injection vulnerability In PEEL Shopping
Advisory ID: NBS-2021-0001
Product: PEEL Shopping
Vulnerable Version: 9.4.0
Fixed Version: 126.96.36.199
CVE ID: CVE-2021-37593
Date of Discovery: 10 July 2021
Author: Mohammad Faisal Sammio | NetbyteSEC
"PEEL SHOPPING is a free ecommerce CMS in PHP / MySQL, that is to say a a modern and safety management tool that lets you manage your product catalog, the text on your website and everything else from a single, simple and efficient administrative interface. Since 2004, PEEL brings innovation and reliability to the world of e-commerce by offering tailored solutions to create complete and simple online shops at suitable prices for everyone."
PEEL Shopping version 9.4.0 allows remote SQL injection. A public user/guest (unauthenticated) can inject a malicious SQL query in order to affect the execution of predefined SQL commands. Upon a successful SQL injection attack, an attacker can read sensitive data from the database and possibly modify database data.
There are three (3) files that associated to the vulnerability as mentioned in technical details below. The files are produit_details.php , fonctions.php and configuration.inc.php
|Figure 1: file - achat/produit_details.php|
line 22 - product_infos initialized an array() function to hold product info values
|Figure 2: file - achat/produit_details.php|
line 55 - product_infos request input (user-controlled) via id parameter without being sanitized to be passed into arguments of get_product_infos() function.
**Since id is a type of integer, the proper sanitization method would be intval()