Unauthenticated Blind SQL Injection Vulnerability In PEEL Shopping (CVE-2021-37593)

NetbyteSEC Security Advisory - Unauthenticated Blind SQL Injection vulnerability In PEEL Shopping

Title: Unauthenticated Blind SQL Injection vulnerability In PEEL Shopping
Advisory ID:
PEEL Shopping
Vulnerable Version:
Fixed Version:
Date of Discovery:
10 July 2021
Mohammad Faisal Sammio | NetbyteSEC

Vendor/product description:

"PEEL SHOPPING is a free ecommerce CMS in PHP / MySQL, that is to say a a modern and safety management tool that lets you manage your product catalog, the text on your website and everything else from a single, simple and efficient administrative interface. Since 2004, PEEL brings innovation and reliability to the world of e-commerce by offering tailored solutions to create complete and simple online shops at suitable prices for everyone."

Source: https://www.peel-shopping.com/

Vulnerability overview:

PEEL Shopping version 9.4.0 allows remote SQL injection. A public user/guest (unauthenticated) can inject a malicious SQL query in order to affect the execution of predefined SQL commands. Upon a successful SQL injection attack, an attacker can read sensitive data from the database and possibly modify database data.


Technical details:

There are three (3) files that associated to the vulnerability as mentioned in technical details below. The files are produit_details.php , fonctions.php and configuration.inc.php


Figure 1: file - achat/produit_details.php

line 22 - product_infos initialized an array() function to hold product info values 


Figure 2: file - achat/produit_details.php

line 55 - product_infos request input (user-controlled) via id parameter without being sanitized to be passed into arguments of get_product_infos() function.

**Since id is a type of integer, the proper sanitization method would be intval()