[CVE-2023-39525][CVE-2023-39529][CVE-2023-39530] path traversal: file deletion in the backoffice

PrestaShop is an open source e-commerce web application. Prior to version 8.1.1, in the back office, files can be compromised using path traversal by replaying the import file deletion query with a specified file path that uses the traversal path. Version 8.1.1 contains a patch for this issue. There are no known workarounds.

Summary

• CVE ID: CVE-2023-39525 & CVE-2023-39529 & CVE-2023-39530
• Published at: 2023-08-07
• Advisory source: PrestaShop & PrestaShop & PrestaShop
• Platform: PrestaShop
• Product: PrestaShop
• Impacted release: <= 8.1.0 (Patched versions 8.1.1)
• Weakness: CWE-22
• Severity: high (6.7)

Description

A administrator can forge a request to remove any file in the installed PrestaShop by exploiting the import feature or via Customer Messages feature.

CVSS base metrics

• Attack vector: network
• Attack complexity: low
• Privilege required: high
• User interaction: none
• Scope: unchanged
• Confidentiality: Low
• Integrity: high
• Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H

Possible malicious usage

• Remove htaccess to unlock logs or sensitive directories containing technical or personnal data.

Patch

CVE-2023-39525

--- a/src/Core/Import/File/FileRemoval.php
+++ b/src/Core/Import/File/FileRemoval.php
@@ -52,6 +52,7 @@ public function __construct(ImportDirectory $importDirectory)
     public function remove($filename)
     {
         $fs = new Filesystem();
+        $filename = basename($filename);
         $filesToRemove = [
             $this->importDirectory . $filename,
             $this->importDirectory . 'csvfromexcel/' . $filename,

CVE-2023-39529

--- a/classes/Attachment.php
+++ b/classes/Attachment.php
@@ -111,7 +111,7 @@ public function update($nullValues = false)
     public function delete()
     {
         if (file_exists(_PS_DOWNLOAD_DIR_ . $this->file)) {
-            @unlink(_PS_DOWNLOAD_DIR_ . $this->file);
+            @unlink(_PS_DOWNLOAD_DIR_ . basename($this->file));
         }
 
         $sql = new DbQuery();

CVE-2023-39530

--- a/classes/CustomerMessage.php
+++ b/classes/CustomerMessage.php
@@ -162,7 +162,7 @@ public static function getTotalCustomerMessages($where = null)
     public function delete()
     {
         if (!empty($this->file_name)) {
-            @unlink(_PS_UPLOAD_DIR_ . $this->file_name);
+            @unlink(_PS_UPLOAD_DIR_ . basename($this->file_name));
         }
 
         return parent::delete();

Other recommendations

• It’s recommended to upgrade to the latest version of PrestaShop.

Links

• PrestaShop product repository CVE-2023-39525
• National Vulnerability Database CVE-2023-39525

• Patch CVE-2023-39525

• PrestaShop product repository CVE-2023-39529
• National Vulnerability Database CVE-2023-39529

• Patch CVE-2023-39529

• PrestaShop product repository CVE-2023-39530
• National Vulnerability Database CVE-2023-39530
• Patch CVE-2023-39530