CVE-2014-2009 in mPAY24
Summary
by MITRE
The mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to obtain credentials, the installation path, and other sensitive information via a direct request to api/curllog.log.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/21/2025
The CVE-2014-2009 vulnerability affects the mPAY24 payment module for PrestaShop versions prior to 1.6, representing a critical information disclosure flaw that exposes sensitive system details to remote attackers. This vulnerability resides in the module's improper handling of log file access, specifically the api/curllog.log file which contains credential information and installation paths. The flaw demonstrates a classic lack of proper access controls and authentication checks within the payment module's API endpoints, creating an attack surface that adversaries can exploit without requiring elevated privileges or complex exploitation techniques.
The technical implementation of this vulnerability stems from the module's failure to enforce proper authorization mechanisms when serving log files through the api endpoint. When attackers make direct requests to api/curllog.log, they can access sensitive information including payment credentials, system installation paths, and potentially other system details that should remain protected within a secure e-commerce environment. This represents a violation of the principle of least privilege and demonstrates poor input validation and access control implementation. The vulnerability falls under the CWE-200 category for Exposure of Sensitive Information and aligns with ATT&CK technique T1566 for Phishing and T1083 for File and Directory Discovery.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with critical system information that can be leveraged for further attacks within the PrestaShop environment. The exposure of installation paths enables attackers to better understand the system architecture and potentially identify additional vulnerabilities through path-based attacks. Payment credentials obtained through this vulnerability could lead to financial fraud, unauthorized transactions, and complete compromise of the payment processing infrastructure. The vulnerability also compromises the integrity of the payment module's security model, potentially enabling attackers to bypass other security controls and escalate their privileges within the e-commerce platform.
Organizations should immediately implement several mitigation strategies to address this vulnerability including updating to PrestaShop version 1.6 or later where the module has been fixed, implementing proper access controls and authentication for API endpoints, and conducting comprehensive security reviews of all payment module configurations. Network-level protections such as web application firewalls should be configured to block access to log file endpoints and sensitive API paths. Additionally, regular security auditing of e-commerce platforms should include checks for similar information disclosure vulnerabilities in third-party modules and plugins. The incident highlights the importance of proper security testing and validation of payment processing modules, particularly those handling sensitive financial data, and underscores the need for maintaining up-to-date security practices in e-commerce environments where customer financial information is processed and stored.