CVE-2023-43982

Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability exists in the Bon Presta "SocialFeed - Photos & Video/Reels using Instagram API" (boninstagramcarousel) module for PrestaShop, affecting versions >=5.2.1 up to and including v6.0.0. Version 7.0.0 fixed the issue. The flaw stems from improper validation of the url parameter in the insta_parser.php script, which can be reached by an unauthenticated attacker with a trivial HTTP call [1].

Exploitation

An attacker can exploit this vulnerability from the network with low complexity and no required privileges or user interaction. By sending a crafted HTTP request to the vulnerable server with a malicious url parameter in insta_parser.php, the attacker can force the server to make arbitrary HTTP requests. This allows the server to be used as a proxy to attack other websites, bypass WAF/.htaccess restrictions, or perform path traversal attacks using wrappers like file:// [1].

Impact

Successful exploitation yields high confidentiality and integrity impact (CVSS base score 9.1, critical). The attacker can exfiltrate data from files under IP restrictions, read sensitive files via path traversal, or use the vulnerable website as a proxy to attack internal or external systems. The availability of the target is not affected. The attack scope remains unchanged [1].

Mitigation

The vulnerability is fixed in version 7.0.0 of the module. Upgrading to this or a later version is recommended. As of the advisory date (November 2, 2023), no patch for individual versions is provided as it's a design issue. Workarounds include restricting access to the path modules/boninstagramcarousell/controllers/back/ to a whitelist of IP addresses, and activating OWASP 931 rules on a WAF (though this may break frontoffice/backoffice functionality). The module is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].