In today's post, we will discuss a critical security vulnerability (CVE-2024-25840) that has been discovered in the "Account Manager | Sales Representative & Dealers | CRM" (prestasalesmanager) module, which is developed by Presta World for the popular eCommerce platform, PrestaShop. The vulnerability allows a malicious attacker to download personal information without proper authorization by performing a path traversal attack.
Introduction
The "Account Manager | Sales Representative & Dealers | CRM" module is designed to help PrestaShop store owners manage their sales agents and dealers efficiently. However, a severe security issue has been identified up to version 9. of the module, wherein unauthorized access to sensitive customer data can be easily achieved through a path traversal attack.
The Common Vulnerabilities and Exposures (CVE) project has assigned this vulnerability the ID CVE-2024-25840. Read more about the CVE project here.
What is a Path Traversal Attack?
A path traversal attack, also known as "directory traversal", is a type of security vulnerability where an attacker exploits an application by manipulating file paths to gain unauthorized access to sensitive files or data. This type of vulnerability takes advantage of inadequate validation and sanitization of user-supplied inputs, such as file names and paths.
Exploit Details
The vulnerability in question resides in the index.php file within the "Account Manager | Sales Representative & Dealers | CRM" module. The affected code snippet is provided below:
<?php
// index.php
$filename = $_GET['file'];
$path = "customer_data/";
if (isset($filename)) {
$file = $path . $filename;
if (file_exists($file)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename="'.basename($file).'"');
header('Expires: ');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
readfile($file);
exit;
} else {
echo "Error: File not found.";
}
} else {
echo "Error: No file specified.";
}
?>
As seen above, the $filename variable receives its value directly from the $_GET['file'] parameter without any validation or sanitization. Consequently, an attacker can manipulate the parameter and perform a path traversal attack to download sensitive files containing personal information without any restrictions.
To exploit this vulnerability, a malicious actor simply needs to append the desired file path after the file parameter in the URL, as demonstrated below:
http://www.example.com/path/to/module/index.php?file=../../../../sensitive_file.txt
This would result in unauthorized access to the contents of sensitive_file.txt.
Mitigation
Users of the "Account Manager | Sales Representative & Dealers | CRM" module for PrestaShop are strongly advised to update their module to the latest version, which addresses this vulnerability. As an additional security layer, ensure proper file and directory permissions are applied to your web server and PrestaShop installation.
Presta World has published a security patch for the affected module versions, which can be obtained from their official website here.
Conclusion
This vulnerability highlights the importance of validating and sanitizing user inputs, especially when handling sensitive data. By staying up to date with the latest security patches and following industry best practices, webmasters and store owners can ensure a safer browsing experience for their customers while safeguarding their personal information from potential exposure and misuse.
Timeline
Published on: 02/27/2024 17:15:12 UTC
Last modified on: 02/28/2024 14:06:45 UTC