endurer Posted July 18, 2018 Share Posted July 18, 2018 Hi there, Just read about the cookie vulnerability at https://www.ambionics.io/blog/prestashop-privilege-escalation and was wondering if there is a quick fix available for older versions of Prestashop without having to upgrade to the latest version, i.e. code changes that can be applied to older versions for this specific issue? I am currently running 1.6.1.17 Thanks 1 Link to comment Share on other sites More sharing options...
JSSSX Posted July 27, 2018 Share Posted July 27, 2018 (edited) Same here. The only change on /classes/cookie.php doesnt seem to be the one to correct this issue. (I'm on 1.6.1.13 and compared with 1.6.1.20) Edited July 28, 2018 by JSSSX (see edit history) Link to comment Share on other sites More sharing options...
JSSSX Posted July 28, 2018 Share Posted July 28, 2018 Ok got it, line 63 code has been reduced to : public function __construct($name, $path = '', $expire = null, $shared_urls = null, $standalone = false, $secure = false) { $this->_content = array(); $this->_standalone = $standalone; $this->_expire = is_null($expire) ? time() + 1728000 : (int)$expire; $this->_path = trim(($this->_standalone ? '' : Context::getContext()->shop->physical_uri).$path, '/\\').'/'; if ($this->_path{0} != '/') { $this->_path = '/'.$this->_path; } $this->_path = rawurlencode($this->_path); $this->_path = str_replace('%2F', '/', $this->_path); $this->_path = str_replace('%7E', '~', $this->_path); $this->_domain = $this->getDomain($shared_urls); $this->_name = 'PrestaShop-'.md5(($this->_standalone ? '' : _PS_VERSION_).$name.$this->_domain); $this->_allow_writing = true; $this->_salt = $this->_standalone ? str_pad('', 8, md5('ps'.__FILE__)) : _COOKIE_IV_; $this->_cipherTool = new Rijndael(_RIJNDAEL_KEY_, _RIJNDAEL_IV_); $this->_secure = (bool)$secure; $this->update(); } Instead of : public function __construct($name, $path = '', $expire = null, $shared_urls = null, $standalone = false, $secure = false) { $this->_content = array(); $this->_standalone = $standalone; $this->_expire = is_null($expire) ? time() + 1728000 : (int)$expire; $this->_path = trim(($this->_standalone ? '' : Context::getContext()->shop->physical_uri).$path, '/\\').'/'; if ($this->_path{0} != '/') { $this->_path = '/'.$this->_path; } $this->_path = rawurlencode($this->_path); $this->_path = str_replace('%2F', '/', $this->_path); $this->_path = str_replace('%7E', '~', $this->_path); $this->_domain = $this->getDomain($shared_urls); $this->_name = 'PrestaShop-'.md5(($this->_standalone ? '' : _PS_VERSION_).$name.$this->_domain); $this->_allow_writing = true; $this->_salt = $this->_standalone ? str_pad('', 8, md5('ps'.__FILE__)) : _COOKIE_IV_; if ($this->_standalone) { $this->_cipherTool = new Blowfish(str_pad('', 56, md5('ps'.__FILE__)), str_pad('', 56, md5('iv'.__FILE__))); } elseif (!Configuration::get('PS_CIPHER_ALGORITHM') || !defined('_RIJNDAEL_KEY_')) { $this->_cipherTool = new Blowfish(_COOKIE_KEY_, _COOKIE_IV_); } else { $this->_cipherTool = new Rijndael(_RIJNDAEL_KEY_, _RIJNDAEL_IV_); } $this->_secure = (bool)$secure; $this->update(); } Link to comment Share on other sites More sharing options...
JSSSX Posted July 28, 2018 Share Posted July 28, 2018 After some tests, switching older cookie.php file with the new doesn't affect the previous prestashop version, and everything is working properly. Hope this helps, and if you have a better alternative than immediate prestashop upgrade let me know, thanks Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now