Release date:
Updated on: 2013-01-22
Affected Systems:
PrestaShop Canada Post Module
Description:
--------------------------------------------------------------------------------
Bugtraq id: 57426
CVE (CAN) ID: CVE-2012-5799
PrestaShop is a free open source e-trade solution.
The Canada Post module in PrestaShop does not correctly verify that the server host name matches the domain name in the topic CN or subjectAltName field of the X.509 Certificate. This allows the intermediary to spoof the SSL server through any valid certificate. This vulnerability is related to the fsockopen function of PHP.
<* Source: acm ccs 2012 conference
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
PrestaShop
----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.prestashop.com/