cbcvebase.
CVE-2018-13784
published 2018-07-09

CVE-2018-13784: PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php.

PriorityP267critical9.1CVSS 3.0
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
16.67%
96.6th percentile
PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php.

Affected

2 ranges
VendorProductVersion rangeFixed in
prestashopprestashop< 1.6.1.201.6.1.20
prestashopprestashop>= 1.7.0.0 < 1.7.3.41.7.3.4

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://vmweb5/prestashop/admin177chuncw/
cookiePrestaShop-b0ebb4f17b3e451202e5b044e29ed75d=20NxjuYuGVhSt8n0M54Av9Qkpyzl9axkK%2BGgLLCcv0MLQZhLAEV8lnq6U2Ew2n5aMUOYqkrkpqjputuLiBEqqW7pIce8cUv%2F3SEFp3tPnWfCgJgXKUsR1htOQ4KAoXyYLhoc31kVgcm39OhQh5Zg3A78HnO1On2udHwN8dTRdI86kewEFZPNtmMeBF7sAr9zezevsjK1VU4BI84EVXCYQuuhnVehoqfAa9XoZC%2FD3FEmDSuspZw2AUB0S7Py6ks6eEeCVDWieBKDsHD13UK%2FzgM%2F65m5rpU1P4BSQSHN2Qs%3D000208
path/index.php?controller=identity
path/index.php?controller=AdminDashboard
path/pdf.php
path/index.php
  • Detect padding oracle attack against PrestaShop AES-CBC cookies: look for repeated requests to the admin login endpoint with varying cookie values (base64-encoded blobs with a 6-digit numeric suffix) and HTTP 302 redirects to AdminLogin used as the padding oracle signal.
  • PrestaShop session cookies exploited in this CVE follow the naming pattern 'PrestaShop-<md5hash>'; monitor for cookies matching this pattern being submitted with anomalous base64 payloads (especially payloads with appended 6-digit size suffixes).
  • Detect exploit stage where attacker posts to /index.php with 'recover_cart' and 'token_cart' parameters to hijack a customer cart and escalate to employee/admin session.
  • Monitor for high-frequency requests to the PrestaShop admin endpoint (e.g., /index.php, /pdf.php) with rapidly changing cookie values from the same source IP — characteristic of automated padding oracle or CRC brute-force enumeration.
  • The exploit uses a 6-digit numeric suffix appended to the base64-encoded cookie value to encode cookie size; detect PrestaShop cookies whose URL-decoded value ends with a 6-digit decimal string followed by no other characters as a malformed/exploit-crafted cookie indicator.
  • Block size for the AES-CBC padding oracle is 16 bytes; the Blowfish/Rijndael variant uses SIZE_BLOCK=8. Anomalous cookie lengths that are exact multiples of 8 or 16 bytes (after base64 decode, minus the 6-digit suffix) should be flagged.
  • ·The exploit targets PrestaShop versions before 1.6.1.20 and 1.7.x before 1.7.3.4; the AES-CBC padding oracle PoC (EDB-45046) specifically targets <= 1.6.1.19 using openssl_encrypt(), while EDB-45047 targets the Blowfish/Rijndael path with an 8-byte block size.
  • ·The padding oracle detection relies on distinguishing HTTP 302 redirects to 'AdminLogin' (padding failure) vs. other responses (padding success); WAF/IDS rules should account for this redirect-based oracle and not just inspect request bodies.
  • ·The exploit requires the attacker to already have a valid authenticated session (employee or customer) to obtain an initial encrypted cookie value before launching the padding oracle or CRC prediction attack.

CVSS provenance

nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.