[CVE-2024-25846] Unrestricted Upload of File with Dangerous Type in MyPrestaModules – Product Catalog (CSV, Excel) Import module for PrestaShop

PrestaShop Security Advisory

In the module “Product Catalog (CSV, Excel) Import” (simpleimportproduct) up to version 6.7.0 from MyPrestaModules for PrestaShop, a guest can upload files with extensions .php.

Summary

  • CVE ID: CVE-2024-25846
  • Published at: 2024-02-27
  • Platform: PrestaShop
  • Product: simpleimportproduct
  • Impacted release: <= 6.7.0 (6.7.1 ““fixed”” the vulnerability - See note below)
  • Product author: MyPrestaModules
  • Weakness: CWE-434
  • Severity: critical (10)

Description

The method Send::__construct() allows the upload of .zip files, which can be auto uncompress in a predictable directory, author tries to protect it with a.htaccess, but since we can forge a zip with a custom .htaccess and a PHP payload, it will lead to a critical vulnerability CWE-94.

WARNING : Be warned that this exploit will bypass the majority of WAF (zipped payload with htaccess auto-hijacked)

Note : The author has moved its exposed ajax script which suffers a critical issue to the front controller under an unpredictable token. It remains a critical vulnerability issue with a CVSS 3.1 score 9.1/10

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: none
  • User interaction: none
  • Scope: changed
  • Confidentiality: high
  • Integrity: high
  • Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

  • Obtain admin access
  • Remove data from the associated PrestaShop
  • Steal data

Other recommendations

  • It’s recommended to upgrade to the latest version of the module simpleimportproduct.
  • Activate OWASP 933’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

DateAction
2023-05-28Issue discovered during a code review by TouchWeb.fr
2023-05-28Contact PrestaShop Addons security Team to confirm version scope
2023-06-01PrestaShop Addons security Team confirms version scope
2023-11-15Author provide a patch
2024-02-22Received CVE ID
2024-02-27Publish this security advisory

READ MORE