Listen to this Post
The vulnerability exists within the file download functionality of the PrestaShop Checkout module’s backoffice. A specific endpoint, designed for retrieving log files, insecurely constructs the file path using user-supplied input without proper sanitization. An attacker with backoffice access can exploit this by manipulating the file path parameter using directory traversal sequences, such as ‘../’. This allows the attacker to break out of the intended log directory and read arbitrary files from the underlying server filesystem. Consequently, sensitive system files, configuration data, or source code can be disclosed, leading to a further compromise of the application or server.
Platform: PrestaShop Checkout
Version: <4.4.1, 5.0.0-5.0.4
Vulnerability: Directory Traversal
Severity: Moderate
date: 2025-10-16
Prediction: 2025-10-30
What Undercode Say:
curl -s "http://vulnerable-site.com/modules/ps_checkout/download.php?file=../../config/settings.inc.php"
grep -r "directory traversal" modules/ps_checkout/controllers/
// Vulnerable code snippet (conceptual)
$file = $_GET['file'];
readfile('/path/to/logs/' . $file);
How Exploit:
1. Attacker gains backoffice access.
2. Requests the download endpoint with traversal sequences.
- Specifies a path to a sensitive file like
/etc/passwd. - The server returns the contents of the arbitrary file.
Protection from this CVE:
Update to version 4.4.1 or 5.0.5.
Implement input sanitization.
Apply principle of least privilege.
Impact:
Arbitrary file disclosure.
Information leakage.
Potential system compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
