IMPORTANT NOTICE: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.
We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.
Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.
Should you discover any vulnerabilities, please report them to us at: report[@]security-presta.org or visit https://security-presta.org for more information.
Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.
[CVE-2023-33493] Unrestricted Upload of File with Dangerous Type in the Ajaxmanager File and Database explorer (ajaxmanager) module from RSI for PrestaShop
An “Unrestricted Upload of File with Dangerous Type” vulnerability exists in the Ajaxmanager File and Database explorer (ajaxmanager) module, from RSI, for PrestaShop, in all versions (including the latest version 2.3.0). This allows remote attackers to upload dangerous files without restriction.
Summary
- CVE ID: CVE-2023-33493
- Published at: 2023-07-28
- Advisory source: Friends-Of-Presta
- Platform: PrestaShop
- Product: ajaxmanager
- Impacted release: All versions (No fix provided. Still vulnerable in the latest version 2.3.0)
- Product author: RSI
- Weakness: CWE-434
- Severity: critical (10)
Description
In the Ajaxmanager File and Database explorer (ajaxmanager) module for PrestaShop, remote attackers can access a file explorer without being logged in, enabling upload view and deletion of files. The file explorer tool is also providing access to a shell console, port scan and server information. Disabling or uninstalling the module does not remove access to the tool. The issue is not fixed in the latest version.
It should be noted that the module provides users the ability to set a password to restrict access to the tool. However, the password is giving no protection. A bug allows users to access the file explorer without having to provide the password.
This vulnerability has been successfully reproduced in versions 2.1.0, 2.2.0 and 2.3.0 (the last version to date). We believe that the issue also existed in previous versions.
WARNING: Disabling or uninstalling the module will not stop the vulnerability from being exploited. You must delete it completely.
Be warned that other modules from this creator are actively scanned, and this one will probably be exploited soon.
CVSS base metrics
- Attack vector: network
- Attack complexity: low
- Privilege required: none
- User interaction: none
- Scope: changed
- Confidentiality: high
- Integrity: high
- Availability: high
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Possible malicious usage
- Removing and altering files (without malware injection)
- Removing and altering data in the database (without malware injection)
- Obtaining database password and cookie key (without malware injection)
- Uploading malwares to the website
- Obtaining complete admin access to the website
Patch
This module contains multiple functional and technical vulnerabilities. No patch can be applied without redeveloping most of the module to introduce an authentication system.
Also, even with a proper authentication system, due to the nature of the module, its usage alone can qualify it as a backdoor. As this module is not essential for PrestaShop, it’s recommended to uninstall the module (and to remove the module’s files).
Make sure that the following directory is removed after uninstalling the module : /modules/ajaxmanager/
Timeline
| Date | Action |
|---|---|
| 2023-03-29 | Discovery of the vulnerability by Profileo |
| 2023-03-29 | Security issue reported to the author, in addons support platform |
| 2023-03-31 | The author did not confirm the issue |
| 2023-04-02 | Release additional details to the author to reproduce the issue |
| 2023-04-02 | The author confirmed the issue |
| 2023-04-11 | Request for a patch and offer a security audit to the author |
| 2023-04-11 | Author didn’t submit a patch and wasn’t able to confirm impacted versions |
| 2023-04-12 | Contact again the Author, requesting a patch |
| 2023-04-19 | Author didn’t submit a patch and wasn’t able to confirm impacted versions |
| 2023-05-06 | Contact again the Author with more details, requesting a patch |
| 2023-05-09 | Author didn’t submit a patch and wasn’t able to confirm impacted versions |
| 2023-06-07 | Received a CVE ID From MITRE |
| 2023-06-15 | Module removed from Addons platform (without patch available) |
| 2023-07-28 | Publication of the CVE |
Links
DISCLAIMER: The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken.
This advisory and patch is licensed under CC BY-SA 4.0
