IMPORTANT NOTICE: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.
We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.
Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.
Should you discover any vulnerabilities, please report them to us at: report[@]security-presta.org or visit https://security-presta.org for more information.
Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.
[CWE-502] Exploring the perils of implicit deserialization of a phar in PrestaShop prior to PHP 8.0 (part 2)
Prior to PHP 8.0, “The PHP documentation reveals that PHAR manifest files contain serialized metadata. Crucially, if you perform any filesystem operations on a phar:// stream, this metadata is implicitly deserialized. This means that a phar:// stream can potentially be a vector for exploiting insecure deserialization, provided that you can pass this stream into a filesystem method.”
Summary
- Published at: 2023-09-04
- Platform: All CMS espacially PrestaShop.
- Weakness: CWE-502
- Severity: critical (10)
Implicit deserialization of a phar disguised as an image (part 2)
This is a variant of the same malicious deserialization triggering previouly highlighted “Exploring the perils of unsafe unserialize() in PrestaShop (part 1)” with another attack vector.
This security issue is not new. In 2018, the CVE-2018-19126 touched the PrestaShop core. Fortunately, the exploit was available only as administrator.
This CVE was the first alert send in 2018 that proves the execution of remote code through the deseralization of an untrusted files (here a phar uploaded instead of a pdf).
WARNING : This is the most dangerous critical chain of our ecosystem and you will nearly never seen any CVE about it.
How it works ?
We highly recommend to read carefully this blog post about exploiting PHP Phar deserialization vulnerabilities to understand it.
In summary, the following PHP methods accept php wrappers http://, data://, file:// and also phar://.
But the phar (PHp ARchive) particularity is the ability to implicitly unserialize each serialized string inside in a file.
Here is a list of filesystem functions that trigger phar deserialization:
copy |
file_exists |
file_get_contents |
file_put_contents |
file |
fileatime |
filectime |
filegroup |
fileinode |
filemtime |
fileowner |
fileperms |
filesize |
filetype |
fopen |
is_dir |
is_executable |
is_file |
is_link |
is_readable |
is_writable |
lstat |
mkdir |
parse_ini_file |
readfile |
touch |
unlink |
stat |
getimagesize |
imagecreatefrom(jpeg|gif|png) |
This other article shows how to disguise a phar as a jpeg file.
So, an attacker can craft a perfect image with mime type, extensions, … validations and exploit the implicit unserialization by adding a malicious payload.
Proof of concept
FOR EDUCATIONAL PURPOSES ONLY. DO NOT USE THIS SCRIPT FOR ILLEGAL ACTIVITIES. THE AUTHOR IS NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE.
- Create a module and put this sample file in the module dir.
// modules/mymodule/mymodule.php
class Mymodule
{
...
public function getContent()
{
$isExists = file_exists('phar://phar.jpg');
return $isExists;
}
...
Note: For security reasons, the phar.jpg file is not supplied in this POC.
-
Go to the configuration page of the module.
-
This piece of code will put an
a.phpfile in the designated directory of PrestaShop.
What should be remembered?
As you can see, to be exploited, you’ll have a chain of vulnerabilities composed by:
- Firstly, the hacker should upload a static file like an image, a PDF, … that contains a malicious payload.
PrestaShop core ImageManager::validateUpload class cannot filter this kind of fake “phar” especially images. The upload of a phar as an image on the product page removed the payload (by resizing it), but not in the CMS page WYSIWYG.
We could classify this vulnerability as CWE-646, but this weakness can only be exploited with a second weakness.
- Secondly, the hacker should exploit an untrusted filesystem method like
getimagesize($_GET['param'])(or$_POST,$_COOKIE, …). But this kind of path traversalgetimagesize( _PS_ROOT_DIR_ . $_GET['param'])cannot be exploited for a malicious deserialization.
On the other hand, PrestaShop core methods ImageManager::thumbnail($_GET['param'], ...), ImageManager::getMimeType($_GET['param']), … call file_exists or getimagesize witch trigger phar deserialization.
Path traversal CWE-22 and SSRF CWE-918 could be exploited to trigger a phar deserialization.
BECAREFUL: The probability to register in a single third part (module, dependency) of PrestaShop both vulnerabilities is quite low. Moreover, each weakness in CWE-646 and CWE-918 (or CWE-22) in several modules in the third part is unusable separately but a combination of both is critical. That’s why the majority of exploits will fly under the radar.
How to prevent this vulnerability?
Phar wrapper cannot be disabled via a php.ini settings.
As a developer:
- A strict validation of input data is absolutely essential!
- Use
basename()PHP method to prevent path traversal and unwanted use of wrapper such asphar://:getimagesize(basename($_GET['param'])) - Use the GD library to remove dummy serialized data from an image.
As an admin sys:
- Set your firewall with OWASP rules to filter “phar://”
- Upgrade PHP after 8.0
| Date | Action |
|---|---|
| 2023-09-04 | Publication of this security advisory |
| 2023-09-15 | Edit this publication to reduce the scope of impacted PHP version prior to PHP 8.0 |
DISCLAIMER: The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken.
This advisory and patch is licensed under CC BY-SA 4.0
