[SOLVED] Cross-site scripting attack problem

[Focal]

PrestaShop Please Help me Resolve this Issue. My virus scanner caught this problem with the script!


XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. In order to prevent this type of attack you will need to ensure that untrusted data is kept separate from browser content. The following is recommended: 1. The best option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. Unless your UI framework does this for you, your developers will need to include this escaping in your application. 2. The use of positive or "whitelist" input validation with appropriate canonicalization (decoding) can also help to protect against XSS.

[rocky]

I don't understand. PrestaShop fixed security issues including XSS vulnerabilities in PrestaShop v1.2.5 and v1.3.1. Are you saying there are more that they missed? Are you using a shared server or dedicated one? It is possible software from another user compromised the whole server or you are using a third-party module with an XSS vulnerability.

[Focal]

I am using a dedicated server. There are no other users on the server. And on the server its my shop.

hmm a module... can 1 module cause all this to happen? if so is it a serious security threat? I have the latest version.

[Focal]

The XSS Problem is located at - /modules/blockpermanentlinks

blockpermanentlinks.tpl
and
blockpermanentlinks-header.tpl


Please fix this issue ASAP. It could lead to a major duplicating threat.

[rocky]

Please post this issue on the bug tracker.

[Focal]

I already did. No response for 3 days.

[rocky]

Be patient. The PrestaShop team will eventually respond.

[Focal]

It looks like a simply fix. Can someone please fix it. I really need it to complete and launch my website.

[Focal]

I am willing to pay $3 paypal to the first person that fixes this really simple problem. Shouldn't take more then 5 minutes to do from what I could see. This offer is valid for 12 hours from the time this was posted.

[ballot]

i can fix it but i dont know really what is blockpermanentlinks for and how to exploit it

[Focal]

blockpermanentlinks is a default module that comes with prestashop. The module will be located at modules/blockpermanentlinks. The module is used to show links on you website such as contact us and sitemap.

[Focal]

Here is a preview of the injection attacks that can be done...

This is just a simple number 42 pop up when used in Internet Explorer.

Copy and paste this in Internet Explore and you will see that you will get the pop up message 42 in Internet Explorer.

http://www.prestashop.com/demo/product.php?id_product='[removed][removed]alert(42)[removed]

Imagine if used in a way to mess with your customers. Hackers can use Javascript codes like malware to mess with your own customers.

EVERY PRESTASHOP STORE IS USING THIS MODULE AS DEFAULT!!!!!!!!! 40,000 stores.

[Focal]

Here is a preview of the injection attacks that can be done...

This is just a simple number 42 pop up when used in Internet Explorer.

Copy and paste this in Internet Explore and you will see that you will get the pop up message 42 in Internet Explorer.

http://www.prestashop.com/demo/product.php?id_product='[removed][removed]alert(42)[removed]

Imagine if used in a way to mess with your customers. Hackers can use Javascript codes like malware to mess with your own customers.

EVERY PRESTASHOP STORE IS USING THIS MODULE AS DEFAULT!!!!!!!!! 40,000 stores.

Looks like prestashop blocked script in the forum. Use this like to view the bug in bug tracker.

http://www.prestashop.com/bug_tracker/view/6031/

This is the reason why we need to resolve this issue. We can't use a Script code in a forum post but we can use it on ever prestashop store out there. Thats a big security RISK.

[ballot]

i couldnt see your link but
http://bit.ly/a6ej9F
this alerted on me at opera and google chrome but ie has xss filter
i will fix it soon

go to /init.php

there should be 2x

 'come_from' => $content_base_url.$_SERVER['REQUEST_URI'],

replace them to

'come_from' => addslashes($content_base_url.$_SERVER['REQUEST_URI']),

if doesnt work

  'come_from' => addslashes(htmlspecialchars($content_base_url.$_SERVER['REQUEST_URI'])),

[rocky]

I can confirm this problem. Luckily, my website isn't affected since I'm not using that module.

When I enter script code after id_product= I get the message "Internet Explorer has modified this page to help prevent cross-site scripting" and I see alert#42# in the permanent links module area.

[Focal]

Ballot is that the fix you posted up top?

[ballot]

Ballot is that the fix you posted up top?

yes its the fix

[Focal]

Ballot is that the fix you posted up top?

yes its the fix

Looks like the 42 error isn't poping up anymore with the 2nd fix.

'come_from' => addslashes(htmlspecialchars($content_base_url.$_SERVER['REQUEST_URI'])),

I will scan the website tomorrow and the next day to confirm that the issue is full resolved. Thanks for your support. I will get back ASAP!

[guest*]

i couldnt see your link but
http://bit.ly/a6ej9F
this alerted on me at opera and google chrome but ie has xss filter
i will fix it soon

go to /init.php

there should be 2x

 'come_from' => $content_base_url.$_SERVER['REQUEST_URI'],

replace them to

'come_from' => addslashes($content_base_url.$_SERVER['REQUEST_URI']),

if doesnt work

  'come_from' => addslashes(htmlspecialchars($content_base_url.$_SERVER['REQUEST_URI'])),

From which Version is this init ?

I don't have this passages...

Also when I try to use the code on my projects, It comes a 404 as response and FF blocks the request too, due to add-on "no-Script". So I think it is also a Server-Problem, which allows such scripts....

What I have is:

'come_from' => Tools::getHttpHost(true, true).htmlentities($_SERVER['REQUEST_URI']), 

but I'm using 1.3.1.1. and also the official German Version. Perhaps the german coder already changed the code ?

Which should the code for 1.3.1.1. ?

[guest*]

I tried now to use the hack with IE on all german Shops I know. On no one is it possible to hack... Perhaps the code I mentioned which apparently was already changed, also don't allow the xss-scripting, OR the secure Server...

[ballot]

1.3.2.3 i use

[guest*]

OK. Than should be the code of version 1.3.2. another and only this version with this problem. According what Focal named on Bug tracker he presumed that all 1.3. versions has the same problem...

[mirko77]

Does the fix by Ballot work? Has anyone tested it yet?

[Focal]

Yes it does the second fix works great. I have scanned my website 2 times and there was no attempt of cross scripting. Thanks for the support.

Problem SOLVED!

[makaraci]

This vulnerability is not possibly for 1.3.1 because on the 1.3.1,the init file has only :

'come_from' => Tools::getHttpHost(true, true).htmlentities($_SERVER['REQUEST_URI']),

I dont know other versions.

Thank you for the fix anyway.

[rocky]

This bug has now been fixed on SVN.

[ChrisRabkin]

Hello fellow prestashoppers!

I have an installation that is using the new JBX horizontal menu and for days we couldn't get the site to pass PCI SECURE Scan from Qualys so we could issue a safe browsing seal.

To make a long story short- the search.php that was in use allows characters that are outside the normal alpha/numerical tolerances for these scans. This was baffling to us because we were using a version of prestashop that this XSS or cross site scripting vulnerability was fixed.
Once we disabled the search bar in the menu and enabled the default search for the shop we passed validation and the SECURE PCI/DSS Safe Browsing seal was issued.

Just an fyi.


I havent sent Julien PM about this yet but he's pretty talented and Im sure this will be an easy fix for him.