PHPInfo Exposure in MyPrestaModules Modules CVE-2023-39677

Two modules that we tested by MyPrestaModules have a vulnerability where PHPInfo is exposed to an unauthenticated attacker. The modules SimpleImportProduct and UpdateProducts contain a file called send.php that has the following code snippet:

    if ( Tools::getValue('phpinfo') ){  
      phpinfo();  
      die;  
    }

This exposes PHPInfo information which is useful to an attacker and it requires no authentication to exploit. This was reported to MyPrestaModules and a patch was released.

Timeline

Date	Action
10/07/2023	Issue discovered during a pentest
12/07/2023	Reported issue to MyPrestaModules
29/07/2023	Requested CVE from MITRE
??/08/2023	Patch released
28/08/2023	Number CVE-2023-39677 assigned
07/09/2023	Blog post and nuclei template released

2023-09-08

https://blog.sorcery.ie/posts/myprestamodules_phpinfo/ Sorcery Ltd

#simpleimportproduct
#updateproducts
#myprestamodules
#prestashop
#phpinfo
#CVE-2023-39677