Warning: Potential Security Risks with External JavaScript in PrestaShop Module

[c64girl]

Hello PrestaShop Community,

I want to bring to your attention a significant security risk associated with loading external JavaScript files in PrestaShop module https://addons.prestashop.com/en/fast-mass-updates/19965-bulk-mass-editing-products.html. Recently, I encountered a script in one of the modules that loads JavaScript from an external source, and I believe it's crucial to share the potential dangers and preventive measures with all of you.

The Issue

Here is the snippet of code:

/masseditproduct/controllers/admin/AdminMassEditProductController.php

$this->context->controller->addJS(array(
    $this->module->getPathUri() . 'views/js/jquery.insertAtCaret.js',
    $this->module->getPathUri() . 'views/js/redactor/redactor.js',
    // ...
    'https://seosaps.com/ru/module/seosamanager/manager?ajax=1&action=script&iso_code='
    . Context::getContext()->language->iso_code
));

This code dynamically loads a JavaScript file from an external URL, incorporating the current language’s ISO code.

https://seosaps.com/ru/module/seosamanager/manager?ajax=1&action=script&iso_code=en

/** * 2007-2016 PrestaShop * * NOTICE OF LICENSE * * This source file is subject to the Academic Free License (AFL 3.0) * that is bundled with this package in the file LICENSE.txt. * It is also available through the world-wide-web at this URL: * http://opensource.org/licenses/afl-3.0.php * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to [email protected] so we can send you a copy immediately. * * DISCLAIMER * * Do not edit or add to this file if you wish to upgrade PrestaShop to newer * versions in the future. If you wish to customize PrestaShop for your * needs please refer to http://www.prestashop.com for more information. * * @author Goryachev Dmitry * @copyright 2007-2016 Goryachev Dmitry * @license http://opensource.org/licenses/afl-3.0.php Academic Free License (AFL 3.0) * International Registered Trademark & Property of PrestaShop SA */ setTimeout(
    function () {
        $(function () {
            if (typeof $.fn.live == "undefined") {
                $.fn.live = $.fn.on;
            }
            if (typeof $.fn.setCenterPosAbsBlockSeoSa == "undefined")
                $.fn.setCenterPosAbsBlockSeoSa = function () {
                    var offsetElemTop = 20;
                    var scrollTop = $(document).scrollTop();
                    var elemWidth = $(this).width();
                    var windowWidth = $(window).width();
                    $(this).css({ top: $(this).height() > $(window).height() ? scrollTop + offsetElemTop : scrollTop + ($(window).height() - $(this).height()) / 2, left: (windowWidth - elemWidth) / 2 });
                };
            var seosa_manager_path = "https://seosaps.com/ru/module/seosamanager/manager";
            var seosa_manager_css = "https://seosaps.com/ru/module/seosamanager/manager?ajax=1&action=css&time=1720592363";
            var seosa_lang = "en";
            $.post(seosa_manager_css, {}, function (r) {
                $("head").append("");
            });
            $("#seosa_manager_btn").live("click", function (e) {
                e.preventDefault();
                $.ajax({
                    url: seosa_manager_path,
                    type: "POST",
                    data: { ajax: true, action: "manager", iso_code: seosa_lang },
                    success: function (r) {
                        var body = $("body");
                        body.append("");
                        body.append("");
                        $("#seosa_manager_stage, #seosa_manager_form").fadeIn(300);
                        $("#seosa_manager_form").setCenterPosAbsBlockSeoSa();
                    },
                });
            });
            $("body").delegate("#seosa_manager_stage, .seosa_manager_close_form", "click", function (e) {
                e.preventDefault();
                $("#seosa_manager_stage, #seosa_manager_form").remove();
            });
        });
    },
    1
);

 

Why This is a Security Risk

Cross-Site Scripting (XSS): An attacker could modify the external JavaScript file to inject malicious code, which can then execute within the context of the user’s browser. This could lead to stolen cookies, intercepted form data, and other malicious activities.

Cross-Site Request Forgery (CSRF): The script could be altered to perform unauthorized actions on behalf of the logged-in user, exploiting their session.

Data Theft: The modified script could send sensitive user data to an attacker’s server.

Phishing: Attackers could modify the script to change the appearance of the website, inserting fake login forms or other elements to steal user credentials.

 

Why doesn't prestashop check the code before publishing it to people? All modules should host scripts locally in modules, not externally.

 

 

 

Edited July 10, 2024 by c64girl (see edit history)