Jump to content

[SOLVED] Cross-site scripting attack problem


Focal
 Share

Recommended Posts

PrestaShop Please Help me Resolve this Issue. My virus scanner caught this problem with the script!


XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. In order to prevent this type of attack you will need to ensure that untrusted data is kept separate from browser content. The following is recommended: 1. The best option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. Unless your UI framework does this for you, your developers will need to include this escaping in your application. 2. The use of positive or "whitelist" input validation with appropriate canonicalization (decoding) can also help to protect against XSS.

Share this post


Link to post
Share on other sites

I don't understand. PrestaShop fixed security issues including XSS vulnerabilities in PrestaShop v1.2.5 and v1.3.1. Are you saying there are more that they missed? Are you using a shared server or dedicated one? It is possible software from another user compromised the whole server or you are using a third-party module with an XSS vulnerability.

Share this post


Link to post
Share on other sites

I am using a dedicated server. There are no other users on the server. And on the server its my shop.

hmm a module... can 1 module cause all this to happen? if so is it a serious security threat? I have the latest version.

Share this post


Link to post
Share on other sites

I am willing to pay $3 paypal to the first person that fixes this really simple problem. Shouldn't take more then 5 minutes to do from what I could see. This offer is valid for 12 hours from the time this was posted.

Share this post


Link to post
Share on other sites

blockpermanentlinks is a default module that comes with prestashop. The module will be located at modules/blockpermanentlinks. The module is used to show links on you website such as contact us and sitemap.

Share this post


Link to post
Share on other sites

Here is a preview of the injection attacks that can be done...

This is just a simple number 42 pop up when used in Internet Explorer.

Copy and paste this in Internet Explore and you will see that you will get the pop up message 42 in Internet Explorer.

http://www.prestashop.com/demo/product.php?id_product='[removed][removed]alert(42)[removed]

Imagine if used in a way to mess with your customers. Hackers can use Javascript codes like malware to mess with your own customers.

EVERY PRESTASHOP STORE IS USING THIS MODULE AS DEFAULT!!!!!!!!! 40,000 stores.

Share this post


Link to post
Share on other sites

Here is a preview of the injection attacks that can be done...

This is just a simple number 42 pop up when used in Internet Explorer.

Copy and paste this in Internet Explore and you will see that you will get the pop up message 42 in Internet Explorer.

http://www.prestashop.com/demo/product.php?id_product='[removed][removed]alert(42)[removed]

Imagine if used in a way to mess with your customers. Hackers can use Javascript codes like malware to mess with your own customers.

EVERY PRESTASHOP STORE IS USING THIS MODULE AS DEFAULT!!!!!!!!! 40,000 stores.


Looks like prestashop blocked script in the forum. Use this like to view the bug in bug tracker.

http://www.prestashop.com/bug_tracker/view/6031/

This is the reason why we need to resolve this issue. We can't use a Script code in a forum post but we can use it on ever prestashop store out there. Thats a big security RISK.
  • Like 1

Share this post


Link to post
Share on other sites

i couldnt see your link but
http://bit.ly/a6ej9F
this alerted on me at opera and google chrome but ie has xss filter
i will fix it soon

go to /init.php

there should be 2x

 'come_from' => $content_base_url.$_SERVER['REQUEST_URI'],



replace them to

'come_from' => addslashes($content_base_url.$_SERVER['REQUEST_URI']),



if doesnt work

  'come_from' => addslashes(htmlspecialchars($content_base_url.$_SERVER['REQUEST_URI'])),

Share this post


Link to post
Share on other sites

I can confirm this problem. Luckily, my website isn't affected since I'm not using that module.

When I enter script code after id_product= I get the message "Internet Explorer has modified this page to help prevent cross-site scripting" and I see alert#42# in the permanent links module area.

Share this post


Link to post
Share on other sites

Ballot is that the fix you posted up top?


yes its the fix


Looks like the 42 error isn't poping up anymore with the 2nd fix.

'come_from' => addslashes(htmlspecialchars($content_base_url.$_SERVER['REQUEST_URI'])),

I will scan the website tomorrow and the next day to confirm that the issue is full resolved. Thanks for your support. I will get back ASAP!

Share this post


Link to post
Share on other sites

i couldnt see your link but
http://bit.ly/a6ej9F
this alerted on me at opera and google chrome but ie has xss filter
i will fix it soon

go to /init.php

there should be 2x
 'come_from' => $content_base_url.$_SERVER['REQUEST_URI'],



replace them to

'come_from' => addslashes($content_base_url.$_SERVER['REQUEST_URI']),



if doesnt work

  'come_from' => addslashes(htmlspecialchars($content_base_url.$_SERVER['REQUEST_URI'])),



From which Version is this init ?

I don't have this passages...

Also when I try to use the code on my projects, It comes a 404 as response and FF blocks the request too, due to add-on "no-Script". So I think it is also a Server-Problem, which allows such scripts....

What I have is:

'come_from' => Tools::getHttpHost(true, true).htmlentities($_SERVER['REQUEST_URI']), 



but I'm using 1.3.1.1. and also the official German Version. Perhaps the german coder already changed the code ?

Which should the code for 1.3.1.1. ?

Share this post


Link to post
Share on other sites

I tried now to use the hack with IE on all german Shops I know. On no one is it possible to hack... Perhaps the code I mentioned which apparently was already changed, also don't allow the xss-scripting, OR the secure Server...

Share this post


Link to post
Share on other sites

This vulnerability is not possibly for 1.3.1 because on the 1.3.1,the init file has only :

'come_from' => Tools::getHttpHost(true, true).htmlentities($_SERVER['REQUEST_URI']),


I dont know other versions.

Thank you for the fix anyway.

Share this post


Link to post
Share on other sites

  • 5 months later...

Hello fellow prestashoppers!

I have an installation that is using the new JBX horizontal menu and for days we couldn't get the site to pass PCI SECURE Scan from Qualys so we could issue a safe browsing seal.

To make a long story short- the search.php that was in use allows characters that are outside the normal alpha/numerical tolerances for these scans. This was baffling to us because we were using a version of prestashop that this XSS or cross site scripting vulnerability was fixed.
Once we disabled the search bar in the menu and enabled the default search for the shop we passed validation and the SECURE PCI/DSS Safe Browsing seal was issued.

Just an fyi.


I havent sent Julien PM about this yet but he's pretty talented and Im sure this will be an easy fix for him.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...

Important Information

Cookies ensure the smooth running of our services. Using these, you accept the use of cookies. Learn More