PHP Serialize Injection, Regular Expression Denial of Service, Double Escaping and Directory Traversal in PrestaShop

Description

We've found PHP Serialize Injection, Regular Expression Denial of Service, Double Escaping and Directory Traversal in PrestaShop in your project “PrestaShop". We've wrote you in a confidential message. You didn't react. So we are posting here in case other people who use this code will know about the vulnerability and fix it.

Impact

According to the OWASP, it can pose a significant risk: enable an attacker to modify serialized objects in order to inject malicious data into the application code, resulting in code execution or an arbitrary reading of the file on any vulnerable system.

Where is the issue?

First, we checked your code automatically with the "PHP Secure" vulnerability scanner. Then reviewed the vulnerable code more deeply manually and felt it was necessary to report about it to you. To get a full scan report with all vulnerabilities, explanations why is the issue and how to fix it, you may scan your project with the "PHP Secure" vulnerability scanner. For early adopters we offer a Premium Plan subscription as a free gift.

About Us

We are a team of developers of the "PHP Secure" vulnerability scanner. We suggest you to scan code and address vulnerabilities as soon as possible to prevent a potential breach.

If you have any questions, email us at support@phpsecure.net"