diff --git a/src/network-services-pentesting/pentesting-web/prestashop.md b/src/network-services-pentesting/pentesting-web/prestashop.md index 24d0e1df1e2..5437d5cb356 100644 --- a/src/network-services-pentesting/pentesting-web/prestashop.md +++ b/src/network-services-pentesting/pentesting-web/prestashop.md @@ -4,10 +4,36 @@ ## From XSS to RCE -- [**PrestaXSRF**](https://github.com/nowak0x01/PrestaXSRF): PrestaShop Exploitation Script that elevate **XSS to RCE or Others Critical Vulnerabilities.** For more info check [**this post**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html). It provides **provides support for PrestaShop Versions 8.X.X and 1.7.X.X, and allows to:** +- [**PrestaXSRF**](https://github.com/nowak0x01/PrestaXSRF): PrestaShop Exploitation Script that elevate **XSS to RCE or Others Critical Vulnerabilities.** For more info check [**this post**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html). It provides **support for PrestaShop Versions 8.X.X and 1.7.X.X, and allows to:** - _**(RCE) PSUploadModule(); - Upload a custom Module:**_ Upload a Persistent Module (backdoor) to PrestaShop. -{{#include ../../banners/hacktricks-training.md}} +## ps_checkout ExpressCheckout silent login account takeover (CVE-2025-61922) + +> Missing identity validation in the `ps_checkout` module `< 5.0.5` lets an unauthenticated attacker **switch the session to any customer by supplying their email**. + +- **Endpoint (unauth):** `POST /module/ps_checkout/ExpressCheckout`. +- **Flow:** `ExpressCheckout.php` accepts attacker JSON, only checks `orderID`, builds `ExpressCheckoutRequest` and calls `ExpressCheckoutAction::execute()`. +- **Auth bug:** In vulnerable versions `ExpressCheckoutAction` calls `CustomerAuthenticationAction::execute()` when no user is logged in. That method simply does `customerExists()` and `context->updateCustomer(new Customer($id))`, so **email existence == login** (no password/token check). +- **Attacker-controlled email field:** `order.payer.email_address` inside the JSON payload is read by `ExpressCheckoutRequest::getPayerEmail()`. + +### Exploitation steps +1. Collect any registered customer email (admin is separate and not affected by this flow). +2. Send an unauthenticated POST to the controller with `orderID` plus the victim email in `order.payer.email_address`. +3. Even if the endpoint returns `500`, the response will include cookies for the victim’s customer context (session already switched), enabling PII access or purchasing with saved cards. +```http +POST /module/ps_checkout/ExpressCheckout HTTP/1.1 +Host: `` +Content-Type: application/json +Content-Length: 72 +{"orderID":"1","order":{"payer":{"email_address":"victim@example.com"}}} +``` + +## References + +- [CVE-2025-61922: Zero-Click Account Takeover on Prestashop (blog)](https://dhakal-ananda.com.np/blogs/cve-2025-61922-analysis/) +- [GitHub Advisory GHSA-54hq-mf6h-48xh](https://github.com/PrestaShopCorp/ps_checkout/security/advisories/GHSA-54hq-mf6h-48xh) + +{{#include ../../banners/hacktricks-training.md}}