PrestaShop PHAR Deserialization Vulnerability Allowing Arbitrary Code Execution

A PHAR deserialization vulnerability has been identified in PrestaShop version 8.2.0, specifically within the AdminProductsimportController's _getHeaders function. This vulnerability allows attackers to execute arbitrary code by sending a crafted POST request that includes a malicious PHAR file. The vulnerability arises from the deserialization of user input without proper filtering, enabling the execution of unauthorized PHP code on the server.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution on the server where PrestaShop is installed.

Reproduction

To reproduce this vulnerability, upload a malicious PHAR file to a PrestaShop 8.2.0 installation using the Admin Products Import controller. The PHAR file should be crafted to exploit the deserialization vulnerability by including a payload that, when deserialized, executes arbitrary PHP code. Once the file is uploaded, the _getHeaders function will be triggered, leading to the execution of the embedded payload.