PrestaShop is a popular open source e-commerce platform known for its extensive use for businesses worldwide. A recent security vulnerability has been discovered in versions prior to 8.1.1, allowing an attacker to delete files from the server via the CustomerMessage API. This blog post provides an in-depth look at the vulnerability, its exploit details, and the patch provided in version 8.1.1. No workarounds are available, making it crucial for users to upgrade to the latest PrestaShop version.
Vulnerability Details (CVE-2023-39530)
Before understanding the vulnerability, let's briefly discuss the CustomerMessage API. This API is used to handle messages exchanged between customers and shop administrators. It plays a significant role in the overall customer service experience.
The vulnerability lies in the file deletion functionality of the API. An attacker can exploit this issue and delete arbitrary files from the server, potentially leading to a Denial of Service (DoS) situation or loss of critical data. This vulnerability has been assigned the CVE identifier CVE-2023-39530.
The vulnerable code snippet is as follows
// customerMessage.php
public function delete()
{
if (!empty($this->attachment)) {
unlink(_PS_UPLOAD_DIR_.$this->attachment);
}
return parent::delete();
}
In the code snippet, the
unlink
function is called to delete the specified file from the "_PS_UPLOAD_DIR_". However, the code does not properly validate the user's permissions, nor does it sanitize the user-inputted file path. This enables an attacker to manipulate the input and delete any file on the server.
Exploit Details
To exploit this vulnerability, the attacker would need to craft a malicious request to the CustomerMessage API. This would involve modifying the "attachment" parameter to target a specific file on the server. For example, consider the following request:
POST /api/customermessages HTTP/1.1
Host: target
Content-Type: application/x-www-form-urlencoded
Authorization: Basic YWRtaW46YWRtaW4=
attachment=../../../../../etc/password
In this example, the attacker has set the "attachment" parameter to "../../../../../etc/password". This points to the server's password file, which the API will attempt to delete due to the lack of proper input validation. If successful, the attacker would delete a vital file from the server, possibly causing a disruption in service.
Patching the Vulnerability
To address this issue, PrestaShop has released version 8.1.1, which contains a patch that fixes the security hole. The patched code now validates the user's permissions and sanitizes the input file path. Users are urged to upgrade to this version.
Links to Original References
1. PrestaShop GitHub Repository - CustomerMessage Class
2. PrestaShop 8.1.1 Release Notes
Conclusion
The discovery of CVE-2023-39530 highlights the importance of regularly updating software and staying vigilant for security vulnerabilities in web applications. In this case, PrestaShop users should immediately upgrade to version 8.1.1 to protect themselves from potential attacks. Developers should also prioritize the secure coding practices to mitigate such vulnerabilities at the source.
Timeline
Published on: 08/07/2023 21:15:00 UTC
Last modified on: 08/09/2023 19:36:00 UTC