Prestashop XSS flaw, or cross-site scripting vulnerability

[kingsx]

I've got my prestashop up and running well, and my brother in law visited my site and he got a pop up from his anti-virus, saying "Part of this page as been blocked due to the following reason: This page has been blocked because it attempts to exploit an application level vulnerability"

I've only had the site up for like 3 days, and it either appears that I have been "hacked" or that anti-virus programs detect the issue and won't load. I've searched the forum and the web and I've found a bunch of sites for example...

http://www.securityfocus.com/bid/32689/discuss

That tells about this issue. There is very little information on this site or the forums about this topic. Has anyone seen or heard of this? And if so, what might the fix be? I've shut my site down for now, and I'd rather not change carts in mid stream. Maybe I am using an old version? That doesn't make sense, I only downloaded it from this site like 5 days ago, and just installed it.

Any ideas?

[kingsx]

Any thoughts at all? Not a major rush, but I don't really want to switch to a different cart.

I've attached a picture that might help.

[kingsx]

Bump

Has no one ever encountered this other than me? Does this not concern anyone else? Maybe its just a setting that I'm not aware of that some of you know about that'll take care of it. Can anyone shed some light on this?

[kingsx]

Not a one? No one has seen this issue? Not even a comment on it? I'm going to take a look at Magento or Zen Cart as I can't have security issues, or someone using a vulnerability to gain access to other people's computer or whatever this vulnerability might do. If I'm mistaken about this, or if there is a fix, I'm all ears as I'd rather had not have wasted time learning how to use this system.

For those of you who have been running prestashop for some time, without fail or issue, please chime in. I need to know if this is something I should be worried about, or I'll have no choice but to switch. I'm not trying to be "one of those guys" who doesn't appreciate what you've all done here. I do. I just want to make sure everything works right etc. Thanks guys!

[rocky]

Sorry, I don't know the answer. I've never encountered this issue before in any of the Prestashop websites I've done and it seems no-one else has either, since you haven't received any replies. I'm not sure why it is happening to you.

From the screenshot, it appears you are using Windows XP with Internet Explorer 6. Perhaps your computer has been compromised by a keylogger and someuse used your login details to add bad code to your website. I strongly suggest that you upgrade to a newer operating system and browser that has much better security.

[kingsx]

The screenshot isn't from my computer. It's from my brother in law's work computer, so who knows what they have him using. Old software by the looks of things. But the link I have there too shows that there is a vulnerability. I'm just concerned that there is something going on. Rocky, have you had any issues at all? Doesn't seem like anyone has, so I'm wondering if I should keep using it. I appreciate the response! Thanks guys.

[rocky]

I've never seen this issue before. I searched Google using the error message and I don't think it is a security issue in Prestashop, since it appears to happen on other websites including Yahoo Mail. From what I've read, you should check the proxy settings and the browser's security settings to fix the problem.

[kingsx]

Okay, thank you for replying and discussing my options. I'll keep on using Prestashop. Thanks again for your help, have a good one!

[nomzz333]

You maybe surprise to know that I didn’t know about it before…

[MCCS]

dear all,

prestashop is currently still vulnerable for XSS crosside scripting

in the order.php and search.php the input fields still accept characters to eliminate XSS

for instance

# Remove < input and replace with <
# Remove > input and replace with >
# Remove ' input and replace with '
# Remove " input and replace with "
# Remove ) input and replace with )
# Remove ( input and replace with (

these things should not be allowed in fields.
if you do accept them an XSS is possible. so an trim and parsing for / and \ is not enough
a collegues dev used the htmlentities function from php to do this.
problem is were would the prestashop dev team change this to eliminate XSS

example:

Path /order.php
Query step=>">[removed]alert(123)[removed]<"
Headers Referer=http://myshop.com/

Path /search.php
Query orderby=>">[removed]alert(123)[removed]<"
orderway=desc
search_query=0
submit_search=Search
Headers Referer=http://myshop.com/

so please take this into the dev changes. (to strip with htmlentities the above chars)

Thanks

[rocky]

@MCCS

I've passed this information on to the PrestaShop team.

[guest*]

It would be nice if people also post which presta-version they are using. Perhaps and old Version or the newest have some lack of vulnerability, but other ones not.

I tryed to access the site with FF, but it doesn't open and said. Invalid URL after a parse from about 1 minute...

I tried a hack on my version with the characters named here and it is not possible to do anything with it...

response is: not found.... so perhaps the server he is hosting his project is also vulnerable...

[ChrisRabkin]

Reflected Cross-Site Scripting (XSS) Vulnerabilities
www.XXXXX.com - QID: 15XXXXX1
QID: 15XXXXX1 CVSS Base: 7.5
Category: Web Application CVSS Temporal: 6.7
Threat:

XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might include the user's name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data contain characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web browser.

The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered by the browser. In order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload.
Impact:

XSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits target the users of a Web application rather than the Web application itself. An exploit can lead to theft of the user's credentials and personal or financial information. Complex exploits and attack scenarios are possible via XSS because it enables an attacker to execute dynamic code. Consequently, any capability or feature available to the Web browser (for example HTML, JavaScript, Flash and Java applets) can be used to as a part of a compromise.
Solution:

Filter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers.

Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or JavaScript.
Results:

http://www.XXXXX.com/search.php -- e="orderby"/>
<input type="hidden" value="desc" name="orderway"/>
<input type="text" name="search_query" value="\"><qss>" onfocus="[removed]if(this.value=='Search')this.value='';" onblur="[removed]if(this.value=='')this.value='Search';" />
<input i,http://www.XXXXX.com/search.php -- e="orderby"/>
<input type="hidden" value="desc" name="orderway"/>
<input type="text" name="search_query" value="\"><qss>" onfocus="[removed]if(this.value=='Search')this.value='';" onblur="[removed]if(this.value=='')this.value='Search';" />
<input i,http://www.XXXXX.com/search.php -- "orderby"/>
<input type="hidden" value="desc" name="orderway"/>
<input type="text" name="search_query" value="\"\'><qss>" onfocus="[removed]if(this.value=='Search')this.value='';" onblur="[removed]if(this.value=='')this.value='Search';" />
<input i,http://www.XXXXX.com/search.php -- "orderby"/>
<input type="hidden" value="desc" name="orderway"/>
<input type="text" name="search_query" value="\"\'><qqs `;!--=&{()}>" onfocus="[removed]if(this.value=='Search')this.value='';" onblur="[removed]if(this.value=='')this.value='Search';" />
,http://www.XXXXX.com/search.php -- "orderby"/>
<input type="hidden" value="desc" name="orderway"/>
<input type="text" name="search_query" value="\"\'><qss>" onfocus="[removed]if(this.value=='Search')this.value='';" onblur="[removed]if(this.value=='')this.value='Search';" />
<input i,http://www.XXXXX.com/search.php -- "orderby"/>
<input type="hidden" value="desc" name="orderway"/>
<input type="text" name="search_query" value="\"\'><qqs `;!--=&{()}>" onfocus="[removed]if(this.value=='Search')this.value='

The version of Prestashop that this specific store is using is 1.3.6

The scan was completed as part of PCI compliance SECURE Seal issuance scans from Qualys.
Although I do not believe that user data could be accessed using this vulnerability all sites that collect credit cards and have this are in violation of the PCI compliance rules and the merchant could be subject to fines and a host of other penalties including loosing the ability to accept and process credit cards.

Pretty serious stuff- However as a caveat to this, I built another site for my brother using a free template from template monster and his site passes all 4 areas if SECURE seal testing. Same version of Prestashop just a different template.

I have not tested just the basic plain Jane prestashop for PCI compliance however, I think if there isnt a compliance section on the forums there needs to be one and QUICKLY.

[Mark Hesketh]

Hi guys,

 

Has this issue been looked at more closely at all in 1.4?

 

I'm working on a client site right now and this potential problem has come up. Is the user data sanitised during input to the database?

 

I've had a quick look through some of the controllers, and a look online for any tools that can check for XSS vulnerabilities but haven't had any luck.

 

Is any body else aware if XSS is still a concern in Prestashop 1.4+?

 

Thanks,

 

Mark

[Johnny_Tsunami]

I have this XSS vulnerability problem too, my prestashop install is failing Trustwave PCI compliance scans. Is there a tutorial showing what we need to fix? If so, please put a link.