PrestaShop upsshipping Module Sensitive Data Exposure Vulnerability

A vulnerability allowing sensitive data exposure has been identified in the PrestaShop UPS Shipping Module (upsshipping), all versions through at least 2.4.0. This issue arises from the lack of access control on the module's logs directory, which is publicly accessible via HTTP. As a result, a remote attacker can easily retrieve XML log files containing sensitive information such as UPS API credentials, shipper account numbers, customer personal information, and merchant tax identification numbers.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive data, including valid UPS API credentials (username, password, access license number), UPS shipper account numbers, merchant VAT or tax identification numbers, and customer personally identifiable information such as names, addresses, phone numbers, and order references.

Reproduction

The vulnerability can be reproduced by sending a direct HTTP request to a predictable URL within the 'logs' directory of the upsshipping module. The absence of an 'index.php' file in the 'logs' directory allows for direct access to the files, which are named using a deterministic pattern based on the current Unix timestamp. This predictable naming convention enables easy enumeration and retrieval of both current and historical log files.

Remediation

No official patch is available for this vulnerability, and the vendor is defunct. The recommended course of action is to completely remove the upsshipping module from the PrestaShop installation and migrate to a maintained shipping module. After removal, any remaining XML log files should be purged, UPS API credentials should be rotated, and the activity on the UPS account should be reviewed for unauthorized shipments.