CVE-2023-43982
📋 TL;DR
This SSRF vulnerability in Bon Presta boninstagramcarousel allows attackers to make the vulnerable server send HTTP requests to arbitrary internal or external systems. Attackers can use the website as a proxy to attack other systems, scan internal networks, or exfiltrate data. All websites running affected versions of this PrestaShop module are vulnerable.
💻 Affected Systems
- Bon Presta boninstagramcarousel module for PrestaShop
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could pivot through the vulnerable server to attack internal systems, access cloud metadata services, exfiltrate sensitive data, or conduct denial-of-service attacks against third parties.
Likely Case
Attackers will use the vulnerable server as a proxy to scan internal networks, access internal services, or make requests to external systems while hiding their true IP address.
If Mitigated
With proper network segmentation and egress filtering, the impact is limited to the vulnerable server itself, though it could still be used for scanning or limited data exfiltration.
🎯 Exploit Status
The vulnerability is in a publicly accessible PHP file (insta_parser.php) and requires only a simple HTTP request with a malicious URL parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v7.0.1
Vendor Advisory: https://security.friendsofpresta.org/modules/2023/11/02/boninstagramcarousel.html
Restart Required: No
Instructions:
1. Log into PrestaShop admin panel. 2. Go to Modules > Module Manager. 3. Find 'boninstagramcarousel'. 4. Update to version 7.0.1 or later. 5. Clear PrestaShop cache.
🔧 Temporary Workarounds
Block access to insta_parser.php
allTemporarily block access to the vulnerable file via web server configuration
# For Apache: add to .htaccess
<Files "insta_parser.php">
Order allow,deny
Deny from all
</Files>
# For Nginx: add to server block
location ~* /insta_parser\.php$ {
deny all;
return 403;
}
Input validation via WAF
allImplement WAF rules to block SSRF attempts
# Example ModSecurity rule
SecRule ARGS:url "@rx ^(http|https)://(127\.0\.0\.1|localhost|169\.254\.169\.254|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.)" "id:1001,phase:2,deny,status:403,msg:'SSRF attempt detected'"
🧯 If You Can't Patch
- Disable or uninstall the boninstagramcarousel module completely
- Implement strict network egress filtering to limit outbound connections from the web server
🔍 How to Verify
Check if Vulnerable:
Check if the file /modules/boninstagramcarousel/insta_parser.php exists and is accessible. Test by sending a GET request with a URL parameter pointing to a controlled server.Check Version:
Check the module version in PrestaShop admin panel under Modules > Module Manager, or examine /modules/boninstagramcarousel/ directory for version files.Verify Fix Applied:
After updating, verify the module version is 7.0.1 or later and test that insta_parser.php no longer processes arbitrary URLs.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from web server to internal IP ranges
- Requests to insta_parser.php with URL parameters containing internal IPs or unusual domains
- Multiple failed connection attempts from web server to various IPs
Network Indicators:
- Web server making unexpected outbound HTTP requests
- Traffic from web server to cloud metadata endpoints (169.254.169.254)
- Web server connecting to internal services it shouldn't access
SIEM Query:
source="web_server_logs" AND (uri="/modules/boninstagramcarousel/insta_parser.php" OR user_agent CONTAINS "curl" OR user_agent CONTAINS "wget") AND status=200