The PrestaShop e-commerce platform module EU Cookie Law GDPR (Banner + Blocker) contains a Blind SQL injection vulnerability up to version 2.1.2. This module is widely deployed and is a “Best seller” on the add-ons store.
This vulnerability permits reading the shop’s database, allowing access to PII, and installing malware such as credit card stealers.
The vulnerability lies in a cookie used by the module to store the user’s choices.
For newer versions of the module, the cookie
lgcookieslaw contains a Base64 encoded JSON object instead of CSV.
To exploit these versions, you’ll need to modify the
lgcookieslaw_accepted_purposes of the object and then reencode to Base64:
"lgcookieslaw_accepted_purposes":"[\"1\",\"2\",\"3\",\"4\",\"5 AND SLEEP(5)"]"
For older versions set the
__lglaw cookie to
1,2,3,4) AND SLEEP(5)--.
Users should update to version 2.1.3 of the module.
Kudos to the vendor for their politeness and for promptly confirming and releasing a fix for the vulnerability.