IMPORTANT NOTICE: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.
We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.
Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.
Should you discover any vulnerabilities, please report them to us at: report[@]security-presta.org or visit https://security-presta.org for more information.
Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.
[CVE-2020-9368][CWE-22] Path traversal in Olea Gift On Order module (giftonorder) module for PrestaShop
The Module Olea Gift On Order module through 5.0.8 for PrestaShop enables an unauthenticated user to read arbitrary files on the server via getfile.php?file=/.. directory traversal.
Summary
- CVE ID: CVE-2020-9368
- Published at: 2020-11-02
- Advisory source: Intrinsec
- Platform: PrestaShop
- Product: giftonorder
- Impacted release: <= 5.0.8
- Product author: Oleacorner
- Weakness: CWE-22
- Severity: high (7.5)
Description
Olea Gift On Order module through 5.0.8 for PrestaShop enable an unauthenticated user to read arbitrary files on the server via getfile.php?file=/.. directory traversal.
As there is no access control over the getfile.php page, any unauthenticated user can call this file in their browser to retrieve the content of any page in any (sub)folder of the PrestaShop folder. This is done by making a GET request to getfile.php with file parameter set to the file the user wants to retrieve.
The _PS_ROOT_DIR (root of the PrestaShop folder) variable is prepended to the file being retrieved. However, as there is no filtering on the input passed in file GET parameter, by prepending several ../ a user can retrieve files outside of the Prestashop directory.
Solutions
- Manual removal of the getfile.php file as suggested by Oleacorner.
- No patch will be provided by the publisher.
CVSS base metrics
- Attack vector: network
- Attack complexity: low
- Privilege required: none
- User interaction: none
- Scope: unchanged
- Confidentiality: high
- Integrity: none
- Availability: none
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Possible malicious usage
- Obtain database access
- Extract sensitive data, such as tokens or private keys stored in config files
- Extract other private data, such as log files or exports
Timeline
| Date | Action |
|---|---|
| 2023-02-11 | Publish the security advisory |
Links
DISCLAIMER: The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken.
This advisory and patch is licensed under CC BY-SA 4.0
