CVE-2023-3031: CVE-2023-3031

King-Avis is a Prestashop module developed by Webbax. In versions older than 17.3.15, the latter suffers from an authenticated path traversal, leading to local file read.

There was a file download.php, that could be used to download statistical reports as CSV files. To protect from unauthorised access, the download feature was protected by a token, as shown below:

$token = Tools::getValue('token');
if($token!==_COOKIE_IV_){die('token error');}

$file = Tools::getValue('file');
...

If the token is incorrect, the file exits and no content is returned. However, if the token is correct, the path is extracted from the parameter file and used without being sanitised :

...
if(strpos($file,'?')!==false){
   $file_name = explode('?',$file);
   $file = str_replace('file=','',$file_name[0]);
}
$handle = fopen($file,"r");
header('Content-Description: File Transfer');
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename='.$file);
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: '.filesize($file));
@ob_clean();
flush();
readfile($file);
fclose($handle);
exit;

It means that administrators (supposed to know this token) can read arbitrary local files. Also, there is no need to have an active admin session to browse to this file.

This behaviour has been patched by removing this dangerous feature.

Timeline

• 24.05.2023: Vendor notified

• 25.05.2023: Vendor acknowledged and published a patch

• 26.05.2023: NCSC notified

• 2023 6

• 2020 12

2023

CVE-2023-3033

3 minute read

This walkthrough presents another vulnerability discovered on the Mobatime web application (see CVE-2023-3032, same version 06.7.2022 affected). This vulnera…

CVE-2023-3032

less than 1 minute read

Mobatime offers various time-related products, such as check-in solutions. In versions up to 06.7.2022, an arbitrary file upload allowed an authenticated use…

CVE-2023-3031

less than 1 minute read

King-Avis is a Prestashop module developed by Webbax. In versions older than 17.3.15, the latter suffers from an authenticated path traversal, leading to loc…

FuckFastCGI made simpler

3 minute read

Let’s render unto Caesar the things that are Caesar’s, the exploit FuckFastCGI is not mine and is a brilliant one, bypassing open_basedir and disable_functio…

PHP .user.ini risks

4 minute read

I have to admit, PHP is not my favourite, but such powerful language sometimes really amazes me. Two days ago, I found a bypass of the directive open_basedir…

PHP open_basedir bypass

3 minute read

PHP is a really powerful language, and as a wise man once said, with great power comes great responsibilities. There is nothing more frustrating than obtaini…

Back to Top ↑

2020

Self modifying C program - Polymorphic

17 minute read

A few weeks ago, a good friend of mine asked me if it was possible to create such a program, as it could modify itself. After some thoughts, I answered that …

Back to Top ↑