PHPInfo Exposure in MyPrestaModules Modules CVE-2023-39677
Two modules that we tested by MyPrestaModules have a vulnerability where PHPInfo is exposed to an unauthenticated attacker. The modules SimpleImportProduct and UpdateProducts contain a file called send.php that has the following code snippet:
if ( Tools::getValue('phpinfo') ){
phpinfo();
die;
}
This exposes PHPInfo information which is useful to an attacker and it requires no authentication to exploit. This was reported to MyPrestaModules and a patch was released.
Timeline
| Date | Action |
|---|---|
| 10/07/2023 | Issue discovered during a pentest |
| 12/07/2023 | Reported issue to MyPrestaModules |
| 29/07/2023 | Requested CVE from MITRE |
| ??/08/2023 | Patch released |
| 28/08/2023 | Number CVE-2023-39677 assigned |
| 07/09/2023 | Blog post and nuclei template released |