CVE-2023-27639
📋 TL;DR
CVE-2023-27639 is a directory traversal vulnerability in the tshirtecommerce (Custom Product Designer) component for PrestaShop that allows remote attackers to read arbitrary XML-parsable files on the server. This affects PrestaShop installations using the vulnerable tshirtecommerce module version 2.1.4.
💻 Affected Systems
- PrestaShop tshirtecommerce (Custom Product Designer) module
📦 What is this software?
Custom Product Designer by Tshirtecommerce
⚠️ Risk & Real-World Impact
Worst Case
Sensitive file disclosure including configuration files, database credentials, or other system files that can be parsed as XML, potentially leading to full system compromise.
Likely Case
Unauthorized reading of configuration files containing database credentials, API keys, or other sensitive information that can be parsed as XML.
If Mitigated
Limited impact with proper file permissions and web server configuration restricting access to sensitive directories.
🎯 Exploit Status
Exploited in the wild since March 2023. Attack involves forging HTTP requests to the vulnerable endpoint with directory traversal in the file_name parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.1.5 or later
Vendor Advisory: https://friends-of-presta.github.io/security-advisories/module/2023/03/30/tshirtecommerce_cwe-22.html
Restart Required: No
Instructions:
1. Update the tshirtecommerce module to version 2.1.5 or later through the PrestaShop module manager. 2. Verify the update was successful by checking the module version in the admin panel.
🔧 Temporary Workarounds
Disable vulnerable endpoint
allBlock access to the vulnerable ajax.php endpoint via web server configuration or WAF rules.
# Apache: RewriteRule ^tshirtecommerce/ajax\.php$ - [F]
# Nginx: location ~ ^/tshirtecommerce/ajax\.php$ { return 403; }
Remove vulnerable module
allTemporarily disable or uninstall the tshirtecommerce module until patched.
🧯 If You Can't Patch
- Implement strict input validation and sanitization for the file_name parameter in the ajax.php endpoint
- Apply web application firewall (WAF) rules to block directory traversal patterns in requests
🔍 How to Verify
Check if Vulnerable:
Check if tshirtecommerce module version 2.1.4 is installed in PrestaShop admin panel under Modules > Module Manager.Check Version:
Check PrestaShop admin panel: Modules > Module Manager > tshirtecommerceVerify Fix Applied:
Verify module version shows 2.1.5 or later in PrestaShop admin panel. Test the vulnerable endpoint with traversal payloads to confirm blocking.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /tshirtecommerce/ajax.php?type=svg with ../ patterns in parameters
- Unusual file access attempts from web server process
Network Indicators:
- HTTP POST requests to tshirtecommerce/ajax.php endpoint with file_name parameter containing directory traversal sequences
SIEM Query:
web.url:*tshirtecommerce/ajax.php* AND (web.param.file_name:*../* OR web.param.file_name:*..\*)