[CVE-2024-25839] Exposure of Sensitive Information to an Unauthorized Actor in Webbax - Super Newsletter module for PrestaShop

In the module “Super Newsletter” (supernewsletter) up to version 1.4.21 (DANGER : all versions) from Webbax for PrestaShop, a guest can access a secret of PrestaShop.

Summary

CVE ID: CVE-2024-25839
Published at: 2024-02-29
Platform: PrestaShop
Product: supernewsletter
Impacted release: <= 1.4.21 (DANGER : all versions and author discontinue support)
Product author: Webbax
Weakness: CWE-200
Severity: medium (7.5), GDPR violation

Description

Due to the use of a secret on the PrestaShop ecosystem, a guest can access hundreds of scripts on the PrestaShop ecosystem protected by this secret, including modules that permit the export of customer databases.

WARNING : This module is obsolete and must be deleted since the author has discontinued support.

Note : We are forced to tag it as high gravity due to the CWE type 200 but be warned that on our ecosystem, it must be considered critical since it unlocks hundreds admin’s ajax script of modules due to this

CVSS base metrics

Attack vector: network
Attack complexity: low
Privilege required: none
User interaction: none
Scope: unchanged
Confidentiality: high
Integrity: none
Availability: none

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Possible malicious usage

Access scripts including admin scripts protected by token

Patch from 1.4.21

--- 1.4.21/modules/supernewsletter/front_generate_newsletter.php
+++ XXXXXX/modules/supernewsletter/front_generate_newsletter.php
@@ -82,7 +82,7 @@ if($token==md5($id_supernewsletter_conte

     // tracking stats - open newsletter ?
     if($see_online!=1){
-        $html.='<img src="'.$Shop->getBaseURL().'modules/supernewsletter/front_stats.php?id_supernewsletter_content='.$id_supernewsletter_content.'&preview='.$preview.'&stats_type=open&token='._COOKIE_KEY_.'" style="height:1px;width:1px">';
+        $html.='<img src="'.$Shop->getBaseURL().'modules/supernewsletter/front_stats.php?id_supernewsletter_content='.$id_supernewsletter_content.'&preview='.$preview.'&stats_type=open&token='.Tools::encrypt('supernewsletter').'" style="height:1px;width:1px">';
     }

     // preview ?
@@ -114,7 +114,7 @@ if($token==md5($id_supernewsletter_conte
        </table>';
     }

-    $base_special_link = $Shop->getBaseURL().'modules/supernewsletter/front_stats.php?id_supernewsletter_content='.$id_supernewsletter_content.'&id_lang='.$id_lang.'&preview='.$preview.'&stats_type=special_link&token='._COOKIE_KEY_;
+    $base_special_link = $Shop->getBaseURL().'modules/supernewsletter/front_stats.php?id_supernewsletter_content='.$id_supernewsletter_content.'&id_lang='.$id_lang.'&preview='.$preview.'&stats_type=special_link&token='.Tools::encrypt('supernewsletter');

     // see online newsletter
     $url_newsletter = urlencode($Shop->getBaseURL().'modules/supernewsletter/front_generate_newsletter.php?id_supernewsletter_content='.$id_supernewsletter_content.'&id_lang='.$id_lang.'&preview=0&see_online=1&token='.md5($id_supernewsletter_content));
@@ -253,7 +253,7 @@ if($token==md5($id_supernewsletter_conte
                 $name = Tools::substr($name,0,$SupernewsletterTemplate->product_title_len).'...';
              }

-             $link_product = $Shop->getBaseURL().'modules/supernewsletter/front_stats.php?id_supernewsletter_content='.$id_supernewsletter_content.'&id_product='.$p['id_product'].'&id_product_attribute='.$p['id_product_attribute'].'&id_lang='.$id_lang.'&preview='.$preview.'&stats_type=product&token='._COOKIE_KEY_;
+             $link_product = $Shop->getBaseURL().'modules/supernewsletter/front_stats.php?id_supernewsletter_content='.$id_supernewsletter_content.'&id_product='.$p['id_product'].'&id_product_attribute='.$p['id_product_attribute'].'&id_lang='.$id_lang.'&preview='.$preview.'&stats_type=product&token='.Tools::encrypt('supernewsletter');
              $id_unique_random = uniqid();

              $css_td_first_product = '';
@@ -428,7 +428,7 @@ if($token==md5($id_supernewsletter_conte
     </td></tr></table>';

     // unsubscribe
-    $html .= '<table style="width:100%;background-color:'.$SupernewsletterTemplate->bg_newsletter.';padding-bottom:5px;"><tr><td style="text-align:center;'.$css_font_family.';"><a href="'.$base_special_link.'&link_type=unsubscribe&link_redirect='.urlencode($Shop->getBaseURL().'modules/supernewsletter/front_unsubscribe.php?id_supernewsletter_content='.$SupernewsletterContent->id.'&token='._COOKIE_KEY_).'" target="_blank" style="color:'.$SupernewsletterTemplate->col_links_hf.';font-size:'.$SupernewsletterTemplate->size_links_hf.'px">'.$Supernewsletter->l('Cliquez ici pour vous désinscrire',$filename).'</a><td></tr></table>';
+    $html .= '<table style="width:100%;background-color:'.$SupernewsletterTemplate->bg_newsletter.';padding-bottom:5px;"><tr><td style="text-align:center;'.$css_font_family.';"><a href="'.$base_special_link.'&link_type=unsubscribe&link_redirect='.urlencode($Shop->getBaseURL().'modules/supernewsletter/front_unsubscribe.php?id_supernewsletter_content='.$SupernewsletterContent->id.'&token='.Tools::encrypt('supernewsletter')).'" target="_blank" style="color:'.$SupernewsletterTemplate->col_links_hf.';font-size:'.$SupernewsletterTemplate->size_links_hf.'px">'.$Supernewsletter->l('Cliquez ici pour vous désinscrire',$filename).'</a><td></tr></table>';

 }else{
     $html.=$Supernewsletter->l('Hack : jeton incorrect',$filename);

--- 1.4.21/modules/supernewsletter/front_stats.php
+++ XXXXXX/modules/supernewsletter/front_stats.php
-if($token!==_COOKIE_KEY_){die('Error : bad token');}
+if(empty($token) || $token != Tools::encrypt('supernewsletter')){die('Error : bad token');}

--- 1.4.21/modules/supernewsletter/front_unsubscribe.php
+++ XXXXXX/modules/supernewsletter/front_unsubscribe.php
-if($token!=_COOKIE_KEY_){die('Error : bad token');}
+if(empty($token) || $token != Tools::encrypt('supernewsletter')){die('Error : bad token');}

--- 1.4.21/modules/supernewsletter/admin_cron.php
+++ XXXXXX/modules/supernewsletter/admin_cron.php
-    <img src="'.$this->_path.'views/img/script_link.png" /> <span class="label_url_cron">'.$this->l('URL CRON',$page_name).'</span> : <span class="url_cron">'.$Shop->getBaseURL().'modules/'.$this->name.'/front_cron_send.php?identifier=date&identifier_value=date&emails_pack=unlimited&id_shop='.$this->context->shop->id.'&token='._COOKIE_KEY_.'</span><br/>
+    <img src="'.$this->_path.'views/img/script_link.png" /> <span class="label_url_cron">'.$this->l('URL CRON',$page_name).'</span> : <span class="url_cron">'.$Shop->getBaseURL().'modules/'.$this->name.'/front_cron_send.php?identifier=date&identifier_value=date&emails_pack=unlimited&id_shop='.$this->context->shop->id.'&token='.Tools::encrypt('supernewsletter').'</span><br/>

--- 1.4.21/modules/supernewsletter/front_cron_send.php
+++ XXXXXX/modules/supernewsletter/front_cron_send.php
-     if(Tools::getValue('token')!=_COOKIE_KEY_){die('error : token');}
+     $token = Tools::getValue('token');
+     if(empty($token) || $token != Tools::encrypt('supernewsletter')){die('Error : bad token');}

Other recommendations

It’s recommended to delete the module since support is discontinued.
You MUST update your secret COOKIE_KEY, be warned that this will invalidate all your customers passwords and most of your tokens

Timeline

Date	Action
2023-09-24	Issue discovered during a code review by TouchWeb.fr
2023-09-24	Contact Author to confirm versions scope by author
2023-09-24	Author confirms version scope and decide to put offline the download page
2024-02-22	Received CVE ID
2024-02-29	Publish this security advisory