Vulnerability in the modules simpleslideshow and vtemslideshow

[gluck]

Found the vulnerability in the this modules.

Hacker make the request to uploadimage.php:

197.27.53.176 - - [15/Jul/2016:16:45:10 +0300] "POST //modules/vtemslideshow/uploadimage.php HTTP/1.1" 200 49 "-" "python-requests/2.10.0"

 

uploadimage.php have no checking for the admin's session and for the file types:

<?php

$uploaddir = './slides/';
$uploadfile = normalize(preg_replace('/ /', '_', basename($_FILES['userfile']['name'])));


if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir . $uploadfile)) {
  echo "success:".$uploadfile;
} else {
  echo "error";
}

...

...and let to upload any files to /slides/ folder.

Then, hacker load the scripts and send the POST request to them:

197.27.53.176 - - [15/Jul/2016:16:50:19 +0300] "POST //modules/vtemslideshow/slides/psyco0.php HTTP/1.1" 200 149 "http://yoursite.com//modules/vtemslideshow/slides/psyco0.php"

And you become the spammer.

Make the necessary checks and save this file.

Edited July 17, 2016 by gluck (see edit history)

[selectshop.at]

The best you contact directly the developer(s) of the module, or add your topic directly to download topic on the forum. Don't think developers of free addons are reading other topics as their own.... ;-)

 

https://www.prestashop.com/forums/topic/69460-free-module-yet-another-slideshow-module-v06/

For vtemslideshow I think it is a part of a special theme. Was not able do find developer, perhaps you know who it is, if you are using it ?

[gluck]

I think, that developer sell this vulnerability to spammers.

Yes, I'm cynic...