Focal Posted November 16, 2010 Share Posted November 16, 2010 PrestaShop Please Help me Resolve this Issue. My virus scanner caught this problem with the script!XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. In order to prevent this type of attack you will need to ensure that untrusted data is kept separate from browser content. The following is recommended: 1. The best option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. Unless your UI framework does this for you, your developers will need to include this escaping in your application. 2. The use of positive or "whitelist" input validation with appropriate canonicalization (decoding) can also help to protect against XSS. Link to comment Share on other sites More sharing options...
rocky Posted November 16, 2010 Share Posted November 16, 2010 I don't understand. PrestaShop fixed security issues including XSS vulnerabilities in PrestaShop v1.2.5 and v1.3.1. Are you saying there are more that they missed? Are you using a shared server or dedicated one? It is possible software from another user compromised the whole server or you are using a third-party module with an XSS vulnerability. Link to comment Share on other sites More sharing options...
Focal Posted November 16, 2010 Author Share Posted November 16, 2010 I am using a dedicated server. There are no other users on the server. And on the server its my shop.hmm a module... can 1 module cause all this to happen? if so is it a serious security threat? I have the latest version. Link to comment Share on other sites More sharing options...
Focal Posted November 16, 2010 Author Share Posted November 16, 2010 The XSS Problem is located at - /modules/blockpermanentlinksblockpermanentlinks.tplandblockpermanentlinks-header.tplPlease fix this issue ASAP. It could lead to a major duplicating threat. Link to comment Share on other sites More sharing options...
rocky Posted November 17, 2010 Share Posted November 17, 2010 Please post this issue on the bug tracker. Link to comment Share on other sites More sharing options...
Focal Posted November 17, 2010 Author Share Posted November 17, 2010 I already did. No response for 3 days. Link to comment Share on other sites More sharing options...
rocky Posted November 17, 2010 Share Posted November 17, 2010 Be patient. The PrestaShop team will eventually respond. Link to comment Share on other sites More sharing options...
Focal Posted November 17, 2010 Author Share Posted November 17, 2010 It looks like a simply fix. Can someone please fix it. I really need it to complete and launch my website. Link to comment Share on other sites More sharing options...
Focal Posted November 17, 2010 Author Share Posted November 17, 2010 I am willing to pay $3 paypal to the first person that fixes this really simple problem. Shouldn't take more then 5 minutes to do from what I could see. This offer is valid for 12 hours from the time this was posted. Link to comment Share on other sites More sharing options...
ballot Posted November 18, 2010 Share Posted November 18, 2010 i can fix it but i dont know really what is blockpermanentlinks for and how to exploit it Link to comment Share on other sites More sharing options...
Focal Posted November 19, 2010 Author Share Posted November 19, 2010 blockpermanentlinks is a default module that comes with prestashop. The module will be located at modules/blockpermanentlinks. The module is used to show links on you website such as contact us and sitemap. Link to comment Share on other sites More sharing options...
Focal Posted November 21, 2010 Author Share Posted November 21, 2010 Here is a preview of the injection attacks that can be done...This is just a simple number 42 pop up when used in Internet Explorer.Copy and paste this in Internet Explore and you will see that you will get the pop up message 42 in Internet Explorer.http://www.prestashop.com/demo/product.php?id_product='[removed][removed]alert(42)[removed]Imagine if used in a way to mess with your customers. Hackers can use Javascript codes like malware to mess with your own customers. EVERY PRESTASHOP STORE IS USING THIS MODULE AS DEFAULT!!!!!!!!! 40,000 stores. Link to comment Share on other sites More sharing options...
Focal Posted November 21, 2010 Author Share Posted November 21, 2010 Here is a preview of the injection attacks that can be done...This is just a simple number 42 pop up when used in Internet Explorer.Copy and paste this in Internet Explore and you will see that you will get the pop up message 42 in Internet Explorer.http://www.prestashop.com/demo/product.php?id_product='[removed][removed]alert(42)[removed]Imagine if used in a way to mess with your customers. Hackers can use Javascript codes like malware to mess with your own customers. EVERY PRESTASHOP STORE IS USING THIS MODULE AS DEFAULT!!!!!!!!! 40,000 stores. Looks like prestashop blocked script in the forum. Use this like to view the bug in bug tracker. http://www.prestashop.com/bug_tracker/view/6031/This is the reason why we need to resolve this issue. We can't use a Script code in a forum post but we can use it on ever prestashop store out there. Thats a big security RISK. 1 Link to comment Share on other sites More sharing options...
ballot Posted November 21, 2010 Share Posted November 21, 2010 i couldnt see your link but http://bit.ly/a6ej9Fthis alerted on me at opera and google chrome but ie has xss filteri will fix it soongo to /init.phpthere should be 2x 'come_from' => $content_base_url.$_SERVER['REQUEST_URI'], replace them to 'come_from' => addslashes($content_base_url.$_SERVER['REQUEST_URI']), if doesnt work 'come_from' => addslashes(htmlspecialchars($content_base_url.$_SERVER['REQUEST_URI'])), Link to comment Share on other sites More sharing options...
rocky Posted November 21, 2010 Share Posted November 21, 2010 I can confirm this problem. Luckily, my website isn't affected since I'm not using that module.When I enter script code after id_product= I get the message "Internet Explorer has modified this page to help prevent cross-site scripting" and I see alert#42# in the permanent links module area. Link to comment Share on other sites More sharing options...
Focal Posted November 21, 2010 Author Share Posted November 21, 2010 Ballot is that the fix you posted up top? Link to comment Share on other sites More sharing options...
ballot Posted November 21, 2010 Share Posted November 21, 2010 Ballot is that the fix you posted up top? yes its the fix Link to comment Share on other sites More sharing options...
Focal Posted November 22, 2010 Author Share Posted November 22, 2010 Ballot is that the fix you posted up top? yes its the fix Looks like the 42 error isn't poping up anymore with the 2nd fix.'come_from' => addslashes(htmlspecialchars($content_base_url.$_SERVER['REQUEST_URI'])), I will scan the website tomorrow and the next day to confirm that the issue is full resolved. Thanks for your support. I will get back ASAP! Link to comment Share on other sites More sharing options...
guest* Posted November 22, 2010 Share Posted November 22, 2010 i couldnt see your link but http://bit.ly/a6ej9Fthis alerted on me at opera and google chrome but ie has xss filteri will fix it soongo to /init.phpthere should be 2x 'come_from' => $content_base_url.$_SERVER['REQUEST_URI'], replace them to 'come_from' => addslashes($content_base_url.$_SERVER['REQUEST_URI']), if doesnt work 'come_from' => addslashes(htmlspecialchars($content_base_url.$_SERVER['REQUEST_URI'])), From which Version is this init ?I don't have this passages...Also when I try to use the code on my projects, It comes a 404 as response and FF blocks the request too, due to add-on "no-Script". So I think it is also a Server-Problem, which allows such scripts....What I have is: 'come_from' => Tools::getHttpHost(true, true).htmlentities($_SERVER['REQUEST_URI']), but I'm using 1.3.1.1. and also the official German Version. Perhaps the german coder already changed the code ?Which should the code for 1.3.1.1. ? Link to comment Share on other sites More sharing options...
guest* Posted November 22, 2010 Share Posted November 22, 2010 I tried now to use the hack with IE on all german Shops I know. On no one is it possible to hack... Perhaps the code I mentioned which apparently was already changed, also don't allow the xss-scripting, OR the secure Server... Link to comment Share on other sites More sharing options...
ballot Posted November 22, 2010 Share Posted November 22, 2010 1.3.2.3 i use Link to comment Share on other sites More sharing options...
guest* Posted November 23, 2010 Share Posted November 23, 2010 OK. Than should be the code of version 1.3.2. another and only this version with this problem. According what Focal named on Bug tracker he presumed that all 1.3. versions has the same problem... Link to comment Share on other sites More sharing options...
mirko77 Posted November 23, 2010 Share Posted November 23, 2010 Does the fix by Ballot work? Has anyone tested it yet? Link to comment Share on other sites More sharing options...
Focal Posted November 23, 2010 Author Share Posted November 23, 2010 Yes it does the second fix works great. I have scanned my website 2 times and there was no attempt of cross scripting. Thanks for the support. Problem SOLVED! Link to comment Share on other sites More sharing options...
makaraci Posted November 27, 2010 Share Posted November 27, 2010 This vulnerability is not possibly for 1.3.1 because on the 1.3.1,the init file has only : 'come_from' => Tools::getHttpHost(true, true).htmlentities($_SERVER['REQUEST_URI']), I dont know other versions.Thank you for the fix anyway. Link to comment Share on other sites More sharing options...
rocky Posted November 28, 2010 Share Posted November 28, 2010 This bug has now been fixed on SVN. Link to comment Share on other sites More sharing options...
ChrisRabkin Posted April 30, 2011 Share Posted April 30, 2011 Hello fellow prestashoppers!I have an installation that is using the new JBX horizontal menu and for days we couldn't get the site to pass PCI SECURE Scan from Qualys so we could issue a safe browsing seal. To make a long story short- the search.php that was in use allows characters that are outside the normal alpha/numerical tolerances for these scans. This was baffling to us because we were using a version of prestashop that this XSS or cross site scripting vulnerability was fixed. Once we disabled the search bar in the menu and enabled the default search for the shop we passed validation and the SECURE PCI/DSS Safe Browsing seal was issued.Just an fyi. I havent sent Julien PM about this yet but he's pretty talented and Im sure this will be an easy fix for him. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now