CVE Ref:  CVE-2022-46639

Release Date: 2022/12/05

Vulnerability Type:  Directory Traversal / SSRF

Vulnerable Application:  Prestashop (1.7)

Overview:

Correos Module v1.1.0.0 and v1.2.0.0 for Prestashop 1.7.x

a Prestashop module allows remote attackers to read local files and attack intranet hosts.

Scope:
File: modules/correosoficial/descarga_etiqueta.php
Vulnerable Argument(s): $_REQUEST[´filename´] and $_REQUEST[´path´]

Proof of Concept:

REQUEST PARAMETERS: http://hostname/modules/correosoficial/descarga_etiqueta.php?path=X&filename=X.

Description:
modules/correosoficial/descarga_etiqueta.php in Correos-PrestaShop Module v1.2.0.0 for PrestaShop 1.7.x allows remote attackers to read local files, attack intranet hosts via "path" and "filename" parameters

Impact:
Remote users can read all files inside and outside the document root, credentials can be compromised

Root Cause:
The descarga_etiqueta.php component of Correos use the PHP function `readfile`, without sanitize the parameters

Solutions:

Validate all user input, block all paths outside the your PDF folder, add an authorization header