Search the Community

Hello PrestaShop Community, I want to bring to your attention a significant security risk associated with loading external JavaScript files in PrestaShop module https://addons.prestashop.com/en/fast-mass-updates/19965-bulk-mass-editing-products.html. Recently, I encountered a script in one of the modules that loads JavaScript from an external source, and I believe it's crucial to share the potential dangers and preventive measures with all of you. The Issue Here is the snippet of code: /masseditproduct/controllers/admin/AdminMassEditProductController.php $this->context->controller->addJS(array( $this->module->getPathUri() . 'views/js/jquery.insertAtCaret.js', $this->module->getPathUri() . 'views/js/redactor/redactor.js', // ... 'https://seosaps.com/ru/module/seosamanager/manager?ajax=1&action=script&iso_code=' . Context::getContext()->language->iso_code )); This code dynamically loads a JavaScript file from an external URL, incorporating the current language’s ISO code. https://seosaps.com/ru/module/seosamanager/manager?ajax=1&action=script&iso_code=en /** * 2007-2016 PrestaShop * * NOTICE OF LICENSE * * This source file is subject to the Academic Free License (AFL 3.0) * that is bundled with this package in the file LICENSE.txt. * It is also available through the world-wide-web at this URL: * http://opensource.org/licenses/afl-3.0.php * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to [email protected] so we can send you a copy immediately. * * DISCLAIMER * * Do not edit or add to this file if you wish to upgrade PrestaShop to newer * versions in the future. If you wish to customize PrestaShop for your * needs please refer to http://www.prestashop.com for more information. * * @author Goryachev Dmitry * @copyright 2007-2016 Goryachev Dmitry * @license http://opensource.org/licenses/afl-3.0.php Academic Free License (AFL 3.0) * International Registered Trademark & Property of PrestaShop SA */ setTimeout( function () { $(function () { if (typeof $.fn.live == "undefined") { $.fn.live = $.fn.on; } if (typeof $.fn.setCenterPosAbsBlockSeoSa == "undefined") $.fn.setCenterPosAbsBlockSeoSa = function () { var offsetElemTop = 20; var scrollTop = $(document).scrollTop(); var elemWidth = $(this).width(); var windowWidth = $(window).width(); $(this).css({ top: $(this).height() > $(window).height() ? scrollTop + offsetElemTop : scrollTop + ($(window).height() - $(this).height()) / 2, left: (windowWidth - elemWidth) / 2 }); }; var seosa_manager_path = "https://seosaps.com/ru/module/seosamanager/manager"; var seosa_manager_css = "https://seosaps.com/ru/module/seosamanager/manager?ajax=1&action=css&time=1720592363"; var seosa_lang = "en"; $.post(seosa_manager_css, {}, function (r) { $("head").append(""); }); $("#seosa_manager_btn").live("click", function (e) { e.preventDefault(); $.ajax({ url: seosa_manager_path, type: "POST", data: { ajax: true, action: "manager", iso_code: seosa_lang }, success: function (r) { var body = $("body"); body.append(""); body.append(""); $("#seosa_manager_stage, #seosa_manager_form").fadeIn(300); $("#seosa_manager_form").setCenterPosAbsBlockSeoSa(); }, }); }); $("body").delegate("#seosa_manager_stage, .seosa_manager_close_form", "click", function (e) { e.preventDefault(); $("#seosa_manager_stage, #seosa_manager_form").remove(); }); }); }, 1 ); Why This is a Security Risk Cross-Site Scripting (XSS): An attacker could modify the external JavaScript file to inject malicious code, which can then execute within the context of the user’s browser. This could lead to stolen cookies, intercepted form data, and other malicious activities. Cross-Site Request Forgery (CSRF): The script could be altered to perform unauthorized actions on behalf of the logged-in user, exploiting their session. Data Theft: The modified script could send sensitive user data to an attacker’s server. Phishing: Attackers could modify the script to change the appearance of the website, inserting fake login forms or other elements to steal user credentials. Why doesn't prestashop check the code before publishing it to people? All modules should host scripts locally in modules, not externally.

I've just gone live with my website and am already getting a bunch of emails from the "Error reporting from your PayPalAPI module". It's clearly just random hacking attempts (see the report: no report is given), but I don't want to be getting 10 emails a day for it and I'm confident there's an easy fix - I just don't see it. Also, given the random hacking activity, where would I read up on how Prestashop interacts with the module (where the hacking attempts are coming from)? Thank you for your time!