IA Informática Valencia

CVE-2022-46639 Directory traversal in the descarga_etiqueta.php component of Correos Prestashop 1.7.x

CVE Ref:  CVE-2022-46639
Release Date: 2022/12/05
Discover Credits: Andrea Iodice
Bulletin Author:  IA - Informática Avanzada
Contact: andrea@ia-informatica.com
Vulnerability Type:  Directory Traversal / SSRF
Vulnerable Application:  Prestashop (1.7)

Correos Module v1.1.0.0 and v1.2.0.0 for Prestashop 1.7.x
a Prestashop module allows remote attackers to read local files and attack intranet hosts.

File: modules/correosoficial/descarga_etiqueta.php
Vulnerable Argument(s): $_REQUEST[´filename´] and $_REQUEST[´path´]

Proof of Concept:
REQUEST PARAMETERS: http://hostname/modules/correosoficial/descarga_etiqueta.php?path=X&filename=X.

modules/correosoficial/descarga_etiqueta.php in Correos-PrestaShop Module v1.2.0.0 for PrestaShop 1.7.x allows remote attackers to read local files, attack intranet hosts via "path" and "filename" parameters

Remote users can read all files inside and outside the document root, credentials can be compromised

Root Cause:
The descarga_etiqueta.php component of Correos use the PHP function `readfile`, without sanitize the parameters

Validate all user input, block all paths outside the your PDF folder, add an authorization header

Contact Us

Powered by

Linux Apache PHP Mysql Metasploit HTML5