Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Vulnerability advisory - CVE-2020-9368

Publisher

Oleacorner, through Prestashop's marketplace

Product

Prestashop module Olea Gift On Order

Title

Olea Gift On Order - Unauthenticated arbitrary file read

Publication date

November 2nd, 2020

Risk level

High

Exploitability

Remote

Impact

Technical information disclosure

Description

Olea Gift On Order module through 5.0.8 for PrestaShop enables an unauthenticated user to read arbitrary files on the server via getfile.php?file=/.. directory traversal.

As there is no access control over the getfile.php page, any unauthenticated user can call this file in their browser to retrieve the content of any page in any (sub)folder of the Prestashop folder.
This is done by making a GET request to getfile.php with file parameter set to the file the user wants to retrieve.

The _PS_ROOT_DIR (root of the Prestashop folder) variable is prepended to the file being retrieved. However, as there is no filtering on the input passed in file GET parameter, by prepending several ../ a user can retrieve files outside of the Prestashop directory.

Affected versions

Versions <= 5.0.8 (latest)

Solutions

Manual removal of the getfile.php file as suggested by Oleacorner.
No patch will be provided by the publisher.

Credit

Vulnerability discovered by Florent BESNARD from INTRINSEC

History

2020-02-21: Oleacorner contacted via email
2020-02-22: Prestashop security team contacted via email
2020-02-24: Prestashop acknowledged the vulnerability. The module was removed from the marketplace and the publisher was notified. CVE-2020-9368 was assigned
2020-02-25: Oleacorner acknowledged the vulnerability and recommended the manual removal of the vulnerable file
2020-03-19: Intrinsec asked for updates from Oleacorner and Prestashop. No reply received
2020-06-22: Intrinsec asked for updates from Oleacorner. No reply received
2020-11-02: Advisory publication