[CVE-2024-28386] Improper Neutralization of Special Elements used in an OS Command in the Home-Made.io – FastMag Sync module for PrestaShop

PrestaShop Security Advisory

In the module “Fast Mag Sync” (fastmagsync) up to version 1.7.52 from Home-Made.io for PrestaShop, a guest can inject into script an arbitrary executable script.

Summary

  • CVE ID: CVE-2024-28386
  • Published at: 2024-03-19
  • Advisory source: Friends-of-presta.org
  • Platform: PrestaShop
  • Product: fastmagsync
  • Impact release: <= 1.7.52 (1.7.53 fixed the vulnerability)
  • Product author: Home-Made.io
  • Weakness: CWE-78
  • Severity: critical (10)

Description

The function getPhpBin() do not properly sanitize output, an attacker can inject into this sequence an arbitrary executable script.

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: none
  • User interaction: none
  • Scope: changed
  • Confidentiality: high
  • Integrity: high
  • Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Possible malicious usage

  • Control and hijack a PrestaShop

Patch from 1.7.51

--- 1.7.51/modules/fastmagsync/crons/common.php
+++ XXXXXX/modules/fastmagsync/crons/common.php
...
        $get_version = explode('.', $hosting);
        if (count($get_version) > 1) {
            array_shift($get_version);
+           if(preg_match('/[d].[d]/i',implode('.', $get_version))){
-           $php_version = implode('.', $get_version);
+              $php_version = implode('.', $get_version);
+           }
        }
        $php_bin = '/usr/local/php' . $php_version . '/bin/php';

Other recommendations

  • It’s recommended to upgrade to the latest version of the module fastmagsync.
  • Activate OWASP 932’s and 933’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against this set of rules.

Timeline

DateAction
2023-10-28Issue discovered during a code review by TouchWeb.fr
2023-10-28Contact Author to confirm version scope
2023-10-28Author confirms version scope and provide a patch
2024-03-11Received CVE ID
2024-03-19Publish this security advisory

READ MORE

Leave a Reply

Your email address will not be published. Required fields are marked *