An “Unrestricted Upload of File with Dangerous Type” vulnerability exists in the Ajaxmanager File and Database explorer (ajaxmanager) module, from RSI, for PrestaShop, in all versions (including the latest version 2.3.0). This allows remote attackers to upload dangerous files without restriction.
- CVE ID: CVE-2023-33493
- Published at: 2023-07-28
- Advisory source: Friends-Of-Presta
- Platform: PrestaShop
- Product: ajaxmanager
- Impacted release: All versions (No fix provided. Still vulnerable in the latest version 2.3.0)
- Product author: RSI
- Weakness: CWE-434
- Severity: critical (10)
In the Ajaxmanager File and Database explorer (ajaxmanager) module for PrestaShop, remote attackers can access a file explorer without being logged in, enabling upload view and deletion of files. The file explorer tool is also providing access to a shell console, port scan and server information. Disabling or uninstalling the module does not remove access to the tool. The issue is not fixed in the latest version.
It should be noted that the module provides users the ability to set a password to restrict access to the tool. However, the password is giving no protection. A bug allows users to access the file explorer without having to provide the password.
This vulnerability has been successfully reproduced in versions 2.1.0, 2.2.0 and 2.3.0 (the last version to date). We believe that the issue also existed in previous versions.
WARNING: Disabling or uninstalling the module will not stop the vulnerability from being exploited. You must delete it completely.
Be warned that other modules from this creator are actively scanned, and this one will probably be exploited soon.
CVSS base metrics
- Attack vector: network
- Attack complexity: low
- Privilege required: none
- User interaction: none
- Scope: changed
- Confidentiality: high
- Integrity: high
- Availability: high
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Possible malicious usage
- Removing and altering files (without malware injection)
- Removing and altering data in the database (without malware injection)
- Obtaining database password and cookie key (without malware injection)
- Uploading malwares to the website
- Obtaining complete admin access to the website
This module contains multiple functional and technical vulnerabilities. No patch can be applied without redeveloping most of the module to introduce an authentication system.
Also, even with a proper authentication system, due to the nature of the module, its usage alone can qualify it as a backdoor. As this module is not essential for PrestaShop, it’s recommended to uninstall the module (and to remove the module’s files).
Make sure that the following directory is removed after uninstalling the module :
|2023-03-29||Discovery of the vulnerability by Profileo|
|2023-03-29||Security issue reported to the author, in addons support platform|
|2023-03-31||The author did not confirm the issue|
|2023-04-02||Release additional details to the author to reproduce the issue|
|2023-04-02||The author confirmed the issue|
|2023-04-11||Request for a patch and offer a security audit to the author|
|2023-04-11||Author didn’t submit a patch and wasn’t able to confirm impacted versions|
|2023-04-12||Contact again the Author, requesting a patch|
|2023-04-19||Author didn’t submit a patch and wasn’t able to confirm impacted versions|
|2023-05-06||Contact again the Author with more details, requesting a patch|
|2023-05-09||Author didn’t submit a patch and wasn’t able to confirm impacted versions|
|2023-06-07||Received a CVE ID From MITRE|
|2023-06-15||Module removed from Addons platform (without patch available)|
|2023-07-28||Publication of the CVE|
DISCLAIMER: The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken.