CVE-2024-33274

Vulnerability

Description

The module "Custom Checkout Fields, Add Custom Fields to Checkout" (customfields) by FME Modules for PrestaShop versions up to 2.2.7 is vulnerable to a directory traversal attack (CWE-22). Due to a predictable token and insufficient validation of the path name construction in the ajax.php file, an unauthenticated attacker can traverse directories and read arbitrary files on the server.[1]

Attack

Vector

The attack can be performed remotely over the network with low complexity and no authentication required. The exploit uses a base64-encoded payload, which can bypass some web application firewalls (WAF). Attackers can hide the module controller's path during the exploit, making detection difficult; the only indicator in conventional frontend logs may be a simple POST request to "/".[1]

Impact

Successful exploitation leads to high confidentiality impact, allowing attackers to exfiltrate sensitive information such as secrets, configuration files, or other modules' data. This could potentially unlock additional admin ajax scripts and facilitate further attacks, including dangerous chained attacks like phar wrapper deserialization.[1]

Mitigation

The vulnerability is fixed in version 2.2.8 of the module. Users are strongly advised to update immediately. Additionally, enabling the AuditEngine of mod_security (or similar) is recommended to help detect and block exploitation attempts.[1]