CVE-2018-20717 in PrestaShop
Summary
by MITRE
In the orders section of PrestaShop before 1.7.2.5, an attack is possible after gaining access to a target store with a user role with the rights of at least a Salesman or higher privileges. The attacker can then inject arbitrary PHP objects into the process and abuse an object chain in order to gain Remote Code Execution. This occurs because protection against serialized objects looks for a 0: followed by an integer, but does not consider 0:+ followed by an integer.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/01/2020
The vulnerability CVE-2018-20717 represents a critical security flaw in PrestaShop versions prior to 1.7.2.5 that specifically targets the orders management section of the e-commerce platform. This vulnerability operates under the premise that an attacker must first obtain legitimate access to a target store with at least Salesman privileges or higher, which aligns with the attacker-in-the-middle and credential compromise attack patterns documented in the MITRE ATT&CK framework. The flaw exists within the serialized object handling mechanism that is designed to prevent dangerous object injection attacks. The technical implementation of this protection mechanism is fundamentally flawed because it employs a pattern matching approach that only detects the sequence "0:" followed by an integer, but fails to account for variations such as "0:+" followed by an integer, creating a significant bypass opportunity.
The exploitation chain begins with an authenticated attacker who leverages their elevated privileges to manipulate the order processing workflow. Through careful manipulation of input parameters, the attacker can inject malicious serialized PHP objects into the system's processing pipeline. The vulnerability specifically exploits a weakness in the unserialize() function's security checks, where the protection mechanism's regular expression pattern matching fails to recognize that "0:+" followed by an integer should be treated equivalently to "0:" followed by an integer. This oversight creates a path where serialized objects that should be rejected based on security policies are instead accepted and processed, leading to a chain of object deserialization that can be leveraged for remote code execution. The vulnerability is classified under CWE-502 as Deserialization of Untrusted Data, which is a well-known class of vulnerabilities that can lead to arbitrary code execution when objects are deserialized without proper validation.
The operational impact of this vulnerability is severe as it allows attackers to achieve full remote code execution on the target system, potentially leading to complete compromise of the e-commerce platform. The attack requires only a user account with Salesman privileges or higher, which is often a common access level for employees managing orders, making the attack surface wider than initially apparent. Once exploited, the attacker can execute arbitrary commands on the server, potentially leading to data theft, service disruption, or further lateral movement within the network infrastructure. The vulnerability demonstrates how seemingly minor implementation flaws in security mechanisms can have catastrophic consequences, as the protection mechanism that was intended to prevent object injection attacks actually enables them through insufficient pattern matching.
The recommended mitigation for this vulnerability involves upgrading to PrestaShop version 1.7.2.5 or later, where the serialization protection has been properly enhanced to account for variations in the format. Organizations should also implement additional security measures such as input validation, proper access controls, and monitoring for suspicious activities within the orders section. The fix addresses the core issue by expanding the pattern matching to recognize both "0:" and "0:+" formats, ensuring that serialized objects are properly validated regardless of their specific formatting. This vulnerability highlights the importance of comprehensive testing of security mechanisms, particularly those that rely on pattern matching, and demonstrates how security implementations must consider all possible variations of input formats to be effective. The remediation process should also include reviewing and strengthening access controls to limit the potential impact of compromised accounts and implementing network segmentation to reduce the attack surface.