[CVE-2024-25839] Exposure of Sensitive Information to an Unauthorized Actor in Webbax - Super Newsletter module for PrestaShop
In the module “Super Newsletter” (supernewsletter) up to version 1.4.21 (DANGER : all versions) from Webbax for PrestaShop, a guest can access a secret of PrestaShop.
Summary
- CVE ID: CVE-2024-25839
- Published at: 2024-02-29
- Platform: PrestaShop
- Product: supernewsletter
- Impacted release: <= 1.4.21 (DANGER : all versions and author discontinue support)
- Product author: Webbax
- Weakness: CWE-200
- Severity: high (7.5), GDPR violation
Description
Due to the use of a secret on the PrestaShop ecosystem, a guest can access hundreds of scripts on the PrestaShop ecosystem protected by this secret, including modules that permit the export of customer databases.
WARNING : This module is obsolete and must be deleted since the author has discontinued support.
Note : We are forced to tag it as high gravity due to the CWE type 200 but be warned that on our ecosystem, it must be considered critical since it unlocks hundreds admin’s ajax script of modules due to this
CVSS base metrics
- Attack vector: network
- Attack complexity: low
- Privilege required: none
- User interaction: none
- Scope: unchanged
- Confidentiality: high
- Integrity: none
- Availability: none
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Possible malicious usage
- Access scripts including admin scripts protected by token
Patch from 1.4.21
--- 1.4.21/modules/supernewsletter/front_generate_newsletter.php
+++ XXXXXX/modules/supernewsletter/front_generate_newsletter.php
@@ -82,7 +82,7 @@ if($token==md5($id_supernewsletter_conte
// tracking stats - open newsletter ?
if($see_online!=1){
- $html.='<img src="'.$Shop->getBaseURL().'modules/supernewsletter/front_stats.php?id_supernewsletter_content='.$id_supernewsletter_content.'&preview='.$preview.'&stats_type=open&token='._COOKIE_KEY_.'" style="height:1px;width:1px">';
+ $html.='<img src="'.$Shop->getBaseURL().'modules/supernewsletter/front_stats.php?id_supernewsletter_content='.$id_supernewsletter_content.'&preview='.$preview.'&stats_type=open&token='.Tools::encrypt('supernewsletter').'" style="height:1px;width:1px">';
}
// preview ?
@@ -114,7 +114,7 @@ if($token==md5($id_supernewsletter_conte
</table>';
}
- $base_special_link = $Shop->getBaseURL().'modules/supernewsletter/front_stats.php?id_supernewsletter_content='.$id_supernewsletter_content.'&id_lang='.$id_lang.'&preview='.$preview.'&stats_type=special_link&token='._COOKIE_KEY_;
+ $base_special_link = $Shop->getBaseURL().'modules/supernewsletter/front_stats.php?id_supernewsletter_content='.$id_supernewsletter_content.'&id_lang='.$id_lang.'&preview='.$preview.'&stats_type=special_link&token='.Tools::encrypt('supernewsletter');
// see online newsletter
$url_newsletter = urlencode($Shop->getBaseURL().'modules/supernewsletter/front_generate_newsletter.php?id_supernewsletter_content='.$id_supernewsletter_content.'&id_lang='.$id_lang.'&preview=0&see_online=1&token='.md5($id_supernewsletter_content));
@@ -253,7 +253,7 @@ if($token==md5($id_supernewsletter_conte
$name = Tools::substr($name,0,$SupernewsletterTemplate->product_title_len).'...';
}
- $link_product = $Shop->getBaseURL().'modules/supernewsletter/front_stats.php?id_supernewsletter_content='.$id_supernewsletter_content.'&id_product='.$p['id_product'].'&id_product_attribute='.$p['id_product_attribute'].'&id_lang='.$id_lang.'&preview='.$preview.'&stats_type=product&token='._COOKIE_KEY_;
+ $link_product = $Shop->getBaseURL().'modules/supernewsletter/front_stats.php?id_supernewsletter_content='.$id_supernewsletter_content.'&id_product='.$p['id_product'].'&id_product_attribute='.$p['id_product_attribute'].'&id_lang='.$id_lang.'&preview='.$preview.'&stats_type=product&token='.Tools::encrypt('supernewsletter');
$id_unique_random = uniqid();
$css_td_first_product = '';
@@ -428,7 +428,7 @@ if($token==md5($id_supernewsletter_conte
</td></tr></table>';
// unsubscribe
- $html .= '<table style="width:100%;background-color:'.$SupernewsletterTemplate->bg_newsletter.';padding-bottom:5px;"><tr><td style="text-align:center;'.$css_font_family.';"><a href="'.$base_special_link.'&link_type=unsubscribe&link_redirect='.urlencode($Shop->getBaseURL().'modules/supernewsletter/front_unsubscribe.php?id_supernewsletter_content='.$SupernewsletterContent->id.'&token='._COOKIE_KEY_).'" target="_blank" style="color:'.$SupernewsletterTemplate->col_links_hf.';font-size:'.$SupernewsletterTemplate->size_links_hf.'px">'.$Supernewsletter->l('Cliquez ici pour vous désinscrire',$filename).'</a><td></tr></table>';
+ $html .= '<table style="width:100%;background-color:'.$SupernewsletterTemplate->bg_newsletter.';padding-bottom:5px;"><tr><td style="text-align:center;'.$css_font_family.';"><a href="'.$base_special_link.'&link_type=unsubscribe&link_redirect='.urlencode($Shop->getBaseURL().'modules/supernewsletter/front_unsubscribe.php?id_supernewsletter_content='.$SupernewsletterContent->id.'&token='.Tools::encrypt('supernewsletter')).'" target="_blank" style="color:'.$SupernewsletterTemplate->col_links_hf.';font-size:'.$SupernewsletterTemplate->size_links_hf.'px">'.$Supernewsletter->l('Cliquez ici pour vous désinscrire',$filename).'</a><td></tr></table>';
}else{
$html.=$Supernewsletter->l('Hack : jeton incorrect',$filename);
--- 1.4.21/modules/supernewsletter/front_stats.php
+++ XXXXXX/modules/supernewsletter/front_stats.php
-if($token!==_COOKIE_KEY_){die('Error : bad token');}
+if(empty($token) || $token != Tools::encrypt('supernewsletter')){die('Error : bad token');}
--- 1.4.21/modules/supernewsletter/front_unsubscribe.php
+++ XXXXXX/modules/supernewsletter/front_unsubscribe.php
-if($token!=_COOKIE_KEY_){die('Error : bad token');}
+if(empty($token) || $token != Tools::encrypt('supernewsletter')){die('Error : bad token');}
--- 1.4.21/modules/supernewsletter/admin_cron.php
+++ XXXXXX/modules/supernewsletter/admin_cron.php
- <img src="'.$this->_path.'views/img/script_link.png" /> <span class="label_url_cron">'.$this->l('URL CRON',$page_name).'</span> : <span class="url_cron">'.$Shop->getBaseURL().'modules/'.$this->name.'/front_cron_send.php?identifier=date&identifier_value=date&emails_pack=unlimited&id_shop='.$this->context->shop->id.'&token='._COOKIE_KEY_.'</span><br/>
+ <img src="'.$this->_path.'views/img/script_link.png" /> <span class="label_url_cron">'.$this->l('URL CRON',$page_name).'</span> : <span class="url_cron">'.$Shop->getBaseURL().'modules/'.$this->name.'/front_cron_send.php?identifier=date&identifier_value=date&emails_pack=unlimited&id_shop='.$this->context->shop->id.'&token='.Tools::encrypt('supernewsletter').'</span><br/>
--- 1.4.21/modules/supernewsletter/front_cron_send.php
+++ XXXXXX/modules/supernewsletter/front_cron_send.php
- if(Tools::getValue('token')!=_COOKIE_KEY_){die('error : token');}
+ $token = Tools::getValue('token');
+ if(empty($token) || $token != Tools::encrypt('supernewsletter')){die('Error : bad token');}
Other recommendations
- It’s recommended to delete the module since support is discontinued.
- You MUST update your secret COOKIE_KEY, be warned that this will invalidate all your customers passwords and most of your tokens
Timeline
| Date | Action |
|---|---|
| 2023-09-24 | Issue discovered during a code review by TouchWeb.fr |
| 2023-09-24 | Contact Author to confirm versions scope by author |
| 2023-09-24 | Author confirms version scope and decide to put offline the download page |
| 2024-02-22 | Received CVE ID |
| 2024-02-29 | Publish this security advisory |
Links
DISCLAIMER: The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken.
This advisory and patch is licensed under CC BY-SA 4.0
