### Key Information #### 0x01 Affected Versions - **Vendor**: PrestaShop - **Affected Versions**: PrestaShop 8.2.0, PHP 7.x module `simpleimportproducts` #### 0x02 Vulnerability Description - **Vulnerability Type**: PHP Deserialization Vulnerability - **Vulnerable Location**: `_getHeaders` function in `AdminProductsImportController.php` - **Vulnerability Details**: Attackers can trigger the deserialization vulnerability by creating a malicious Phar file and uploading it to the server. This may lead to arbitrary code execution, sensitive information disclosure, remote file inclusion, and other security risks. #### 0x03 Exploitation - **Critical Code**: ```php public function _getHeaders() { $file = Tools::getValue('csv_file'); if ($file) { $mime = Tools::strtolower(Tools::strtolower($file)); if (strpos($mime, 'feed_source') !== false) { $this->_getHeader(); } } } private function _getHeader() { try { $filename = $this->context->link->getMediaLink(_PS_MODULE_DIR_ . 'simpleimportproducts/csv/' . Tools::getValue('feed_source')); $handle = fopen($filename, 'r'); $headers = fgetcsv($handle); fclose($handle); return $headers; } catch (Exception $e) { return []; } } ``` - **Example Code to Generate Malicious Phar File**: ```php class MaliciousHandler implements SplFileInfo, RecursiveIterator { // ... } class ClassAliasHandler implements ClassAlias { // ... } namespace Handler\Manager; class ClassAliasHandler implements ClassAlias { // ... } $phar = new Phar("malicious.phar"); $phar->startBuffering(); $phar->addFromString("payload.php", ""); $phar->setStub(""); $phar->buildFromDirectory(__DIR__ . "/payloads"); $phar->stopBuffering(); ```