CVE-2019-19594 Remote Code Execution in Adobe Stock API Integration for PrestaShop
CVE Ref:
CVE-2019-19594
Release Date: 2019/12/05
Discover Credits: Andrea Iodice
Bulletin Author: IA - Informática Avanzada
Contact: andrea@ia-informatica.com
Type:
Remote Code Execution
Level: High
CVSS: ??
Vulnerable Application: Prestashop (1.6 - 1.7)
Overview:
Adobe Stock API Integration for PrestaShop
is a module that allow multiple vulnerabilities.
Scope:
File: reset/modules/fotoliaFoto/multi_upload.php
Vulnerable Argument(s): $_FILES[´afme_multiupload´]
Scope:
File: reset/modules/fotoliaFoto/multi_upload.php
Vulnerable Argument(s): $_FILES[´afme_multiupload´]
Proof of Concept:
POST FILES: http://hostname/reset/modules/fotoliaFoto/multi_upload.php, uploads files are in the default Prestashop image dir hostname/img/wlasne_foto/
Description:
reset/modules/advanced_form_maker_edit/multiupload/upload.php in the RESET.PRO Adobe Stock API integration 4.8 for PrestaShop allows remote attackers to execute arbitrary code by uploading a .php file.
Solutions:
Disable function exec(), passthru(), shell_exec(), system(), delete or edit the vulnerable file. Disable PHP in images dir.
info@ia-informatica.com
+34 693 591 299
