IA Informática Valencia

CVE-2022-46639 Directory traversal in the descarga_etiqueta.php component of Correos Prestashop 1.7.x

CVE Ref:  CVE-2022-46639
Release Date: 2022/12/05
Discover Credits: Andrea Iodice
Bulletin Author:  IA - Informática Avanzada
Contact: andrea@ia-informatica.com
Vulnerability Type:  Directory Traversal / SSRF
Vulnerable Application:  Prestashop (1.7)

Overview:
Correos Module v1.1.0.0 and v1.2.0.0 for Prestashop 1.7.x
a Prestashop module allows remote attackers to read local files and attack intranet hosts.

Scope:
File: modules/correosoficial/descarga_etiqueta.php
Vulnerable Argument(s): $_REQUEST[´filename´] and $_REQUEST[´path´]

Proof of Concept:
REQUEST PARAMETERS: http://hostname/modules/correosoficial/descarga_etiqueta.php?path=X&filename=X.

Description:
modules/correosoficial/descarga_etiqueta.php in Correos-PrestaShop Module v1.2.0.0 for PrestaShop 1.7.x allows remote attackers to read local files, attack intranet hosts via "path" and "filename" parameters

Impact:
Remote users can read all files inside and outside the document root, credentials can be compromised

Root Cause:
The descarga_etiqueta.php component of Correos use the PHP function `readfile`, without sanitize the parameters

Solutions:
Validate all user input, block all paths outside the your PDF folder, add an authorization header

Contact Us

Powered by

Linux Apache PHP Mysql Metasploit HTML5