May 30 2023

Following the report of a vulnerability in HikaShop, we released today a new version of HikaShop focused on this vulnerability.
Let's dive into the details.

On May 30th 2023, two researchers in security reported a vulnerability inside HikaShop. You can read more about it on this github issue.
Basically, it allows anyone with access to the order management in the backend of HikaShop to be able to use a MySQL injection to extract data from the database.
This is caused by a lack of check on the server side when saving the payment method selection of the additionnal information popup AND a lack of check when using the id of the payment method of the orders, when loading the custom order fields of the order.
This follows the addition of the "payment methods" restriction setting to custom fields of the "order" table in HikaShop 4.4.1, so prior versions of HikaShop are not impacted.

We've added two patches for this:

• In the file administrator/components/com_hikashop/classes/order.php we've changed the line:

  $order->order_payment_id = $safeHtmlFilter->clean($payment_id,'string');

  to:

  $order->order_payment_id = (int)$safeHtmlFilter->clean($payment_id,'string');

  in order to make sure that the payment method id is and id and there can't be strange things in it.
  
  
• In the file administrator/components/com_hikashop/classes/field.php we've changed the line:

  $this->where[] = '( a.field_payment_id = "" OR a.field_payment_id LIKE \'%,'.$categories['payment'].',%\' )';

  to:

  $this->where[] = '( a.field_payment_id = "" OR a.field_payment_id LIKE \'%,'.(int)$categories['payment'].',%\' )';

  in order to make sure that even if the payment method id of an order has strange things in it (for some reason ?) it is not used in the MySQL query to load the custom fields.

We highly recommend you to update to the latest version of HikaShop which is now available. It will add these changes for you. But if, for some reason, you can't update your HikaShop, you can manually apply these changes on your end.