CVE-2023-3031

stuff

King-Avis is a Prestashop module developed by Webbax. In versions older than 17.3.15, the latter suffers from an authenticated path traversal, leading to local file read.

There was a file download.php, that could be used to download statistical reports as CSV files. To protect from unauthorised access, the download feature was protected by a token, as shown below:

1
2
3
4
5
$token = Tools::getValue('token');
if($token!==_COOKIE_IV_){die('token error');}

$file = Tools::getValue('file');
...

If the token is incorrect, the file exits and no content is returned. However, if the token is correct, the path is extracted from the parameter file and used without being sanitised :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
...
if(strpos($file,'?')!==false){
   $file_name = explode('?',$file);
   $file = str_replace('file=','',$file_name[0]);
}
$handle = fopen($file,"r");
header('Content-Description: File Transfer');
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename='.$file);
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: '.filesize($file));
@ob_clean();
flush();
readfile($file);
fclose($handle);
exit;

It means that administrators (supposed to know this token) can read arbitrary local files. Also, there is no need to have an active admin session to browse to this file.

This behaviour has been patched by removing this dangerous feature.

Timeline

  • 24.05.2023: Vendor notified
  • 25.05.2023: Vendor acknowledged and published a patch
  • 26.05.2023: NCSC notified