IA Informática Valencia

Remote Command Execution in Prestashop

CVE Ref: CVE-2018-19355
Release Date: 2018/11/18
Discover Credits: Andrea Iodice
Bulletin Author:  IA - Informática Avanzada
Contact: andrea@ia-informatica.com
Type: Remote Command Execution
Level: High
CVSS: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:W/RC:C/CDP:H/TD:L/CR:H/IR:H/AR:H)
Vulnerable Application: Prestashop (1.5 to 1.7)

Overview:
The Customer File Upload addon for PrestaShop 1.5 through 1.7 allows remote attackers to execute arbitrary code by uploading a php file.

Scope:
File: /modules/orderfiles/ajax/upload.php
Vulnerable Argument(s): $_POST,$_FILES

Proof of Concept: 
http://site/modules/orderfiles/upload.php;
The $_POST need the parameter $_POST[´auptype´] and $_FILES
We have 3 cases $_POST[´auptype´] = product, order or cart.

CASE 1:
if $_POST[´auptype´] = product, the module create a cookie with name "ftpr" the cookie´s value is the folder´s name where the file will be upload
$cookieid=date("U").$module->generatekey(5,"abcdfghijklmnouprstuwxyz1234567890");
setcookie("ftpr", $cookieid, time()+86400, "/");
$module->insertfilestoproduct($_POST,$_FILES,$cookieid,1);
so the file will be in /modules/productfiles/$cookieid/$_FILES["file"]["name"]

CASE 2:
if $_POST[´auptype´] = cart.
We need a $_POST[´idcart´] 
$module->insertfilestocart($_POST,$_FILES,1);
so the file will be in /modules/cartfiles/$_POST[´idcart´]/$_FILES["file"]["name"]

CASE 3:
if $_POST[´auptype´] = order.
We need a $_POST[´oid´] 
$module->insertphotoajax($_POST,$_FILES);
so the file will be in /modules/files/$_POST[´oid´]/$_FILES["file"]["name"]

Description:
modules/orderfiles/upload.php in the Customer File Upload addon for PrestaShop 1.5 through 1.7 allows remote attackers to uploading a php file and execute arbitrary PHP code via the uploaded file.

Solutions:
For security reasons better disable function exec(), passthru(), shell_exec(), system().

Contact Us

Powered by

Linux Apache PHP Mysql Metasploit HTML5