James R Posted March 13, 2012 Share Posted March 13, 2012 Hi there, I used an online security checking application yesterday to scan my Prestashop 1.3.1 install a thorough check. It came back with two 'High Risk' findings: XSS vector in document body (In-Body) (1) Vulnerable URL's found: https://www.mywebsite.com/authentication.php Scan Message: injected syntax in JS/CSS code Server Request Details: POST /authentication.php HTTP/1.1 Host: www.mywebsiten.com Accept: */* Accept-Language: en,en-US;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; SF/2.02b) Accept-Encoding: gzip, deflate Connection: Keep-Alive Range: bytes=0-199999 Referer: https://www.mywebsite.com/ Cookie: 177007dc5024ff546179f25344426a2c=6lT%2Fj%2B5rG4Y%3DPGUkqjdjsq0%3D8x2vaoF%2FYuU%3DYgQYtpReVHQ%3DTnfrKBbiLe8%3DILw7kfNp37Y%3DPWl092xt6bM%3DvpkxzpcDDnE%3DZBIjgGNNOqI%3DD%2Bn%2FjfANd8E%3DF6BSXGVWf2w%3DJwq6mphN%2B9Y%3DyotUkDOl4Dg%3D44nIZ4XyxRo%3DfGQaRMKMR0Y%3DldtdIVmGGjI%3Dxdjshpz51ak%3DaWMQjinyLpY%3D Content-Type: application/x-www-form-urlencoded Content-Length: 414 id_gender=3&customer_firstname=John&customer_lastname=Smith&[email protected]&passwd=golem&days=1&months=1&years=2010&newsletter=on&company=ACME&firstname=John&lastname=Smith&address1=1&address2=1&city=Mountain%20View&postcode=000&id_country=US&id_state=CA&other=1&phone=6505550100&phone_mobile=6505550100&alias=My%20address&dni=.htaccess.aspx-->">'>'"<sfi000579v486672>&email_create=1&submitAccount=Register Incorrect caching directives (higher risk) (1) Vulnerable URL's found: https://www.mywebsite.com/ Scan Message: implicitly cacheable \x27Set-Cookie\x27 response Server Request Details: GET / HTTP/1.1 Host: www.mywebsite.com Accept: */* Accept-Language: en,en-US;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; SF/2.02b) Accept-Encoding: gzip, deflate Connection: Keep-Alive Range: bytes=0-199999 Referer: http://www.rubycotton.com/ Cookie: 177007dc5024ff546179f25344426a2c=6lT%2Fj%2B5rG4Y%3DPGUkqjdjsq0%3D8x2vaoF%2FYuU%3DYgQYtpReVHQ%3DTnfrKBbiLe8%3DILw7kfNp37Y%3DPWl092xt6bM%3DvpkxzpcDDnE%3DZBIjgGNNOqI%3DD%2Bn%2FjfANd8E%3DF6BSXGVWf2w%3DJwq6mphN%2B9Y%3DyotUkDOl4Dg%3D44nIZ4XyxRo%3DfGQaRMKMR0Y%3DldtdIVmGGjI%3Dxdjshpz51ak%3DaWMQjinyLpY%3D Has anyone else come across these issues before and is there a way to fix them? Planning an upgrade this week so this coule potential solve these problems? Thanks, James</sfi000579v486672> Link to comment Share on other sites More sharing options...
Dh42 Posted March 28, 2012 Share Posted March 28, 2012 You are several versions behind the latest stable release. You should update your shop. Link to comment Share on other sites More sharing options...
James R Posted March 28, 2012 Author Share Posted March 28, 2012 You are several versions behind the latest stable release. You should update your shop. It's been updated now and yet again I face SSL issues: http://www.prestashop.com/forums/topic/155662-critical-ssl-bug-in-ps-147-fix-inside/ Link to comment Share on other sites More sharing options...
Dh42 Posted March 28, 2012 Share Posted March 28, 2012 Once that patch is applied the issue is no longer a problem. Link to comment Share on other sites More sharing options...
James R Posted March 28, 2012 Author Share Posted March 28, 2012 I've tried both fixes and neither have solved the SSL issue. Link to comment Share on other sites More sharing options...
Dh42 Posted March 28, 2012 Share Posted March 28, 2012 link to your site? Link to comment Share on other sites More sharing options...
James R Posted March 28, 2012 Author Share Posted March 28, 2012 I've issued a bug on it: http://forge.prestashop.com/browse/PSCFI-5279 Website: www.rubycotton.com Link to comment Share on other sites More sharing options...
Dh42 Posted March 28, 2012 Share Posted March 28, 2012 In your preferences >> Seo do you have a https:// before your secure url? Also I am guessing you have ssl turned on in the bo. Link to comment Share on other sites More sharing options...
Dh42 Posted March 28, 2012 Share Posted March 28, 2012 also on a side note are you comfortable using phpmyadmin? Link to comment Share on other sites More sharing options...
James R Posted March 28, 2012 Author Share Posted March 28, 2012 In your preferences >> Seo do you have a https:// before your secure url? Also I am guessing you have ssl turned on in the bo. In this section below? I just had the url starting with 'www': ' Shop domain name for SSL: www.rubycotton.com ' I just tested changing it to ' Shop domain name for SSL: https:// www.rubycotton.com ' and my homeslidehow module stopped working but the ssl seems to be kicking it although it's not writing the correct url: 'http://https//www.rubycotton.com/order.php' RE SEO turned on in BO - I there's no radio box for me to select to confirm it's on, it's missing. I just have a link that seems to do nothing when clicked. (see screengrab) also on a side note are you comfortable using phpmyadmin? Yes! Link to comment Share on other sites More sharing options...
Dh42 Posted March 28, 2012 Share Posted March 28, 2012 Does that mean the ssl worked like it was supposed to, but broke the slide show? Ok, in your db go to ps_configuration. SSL Enabled should be set to 1, it should be id_configuration 27 Link to comment Share on other sites More sharing options...
James R Posted March 28, 2012 Author Share Posted March 28, 2012 Does that mean the ssl worked like it was supposed to, but broke the slide show? Ok, in your db go to ps_configuration. SSL Enabled should be set to 1, it should be id_configuration 27 Yeah I think so but the url that it was using for the SSL areas was funny and resulted in a broken link. Ah ha, forgot it could be turned on from phpmyadmin! Ok it was on '0' so I've changed it to '1'. Something's happening, it's directing to the https: https://www.rubycotton.com/order.php BUT throwing an error: This webpage has a redirect loop The webpage at https://www.rubycotton.com/order.php has resulted in too many redirects. Clearing your cookies for this site or allowing third-party cookies may fix the problem. If not, it is possibly a server configuration issue and not a problem with your computer. Here are some suggestions: Reload this webpage later. Learn more about this problem. Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects. Could this be from the patches applied already? Link to comment Share on other sites More sharing options...
Dh42 Posted March 28, 2012 Share Posted March 28, 2012 try this http://www.prestashop.com/forums/topic/162041-solved-this-web-page-has-a-redirect-loop/ Link to comment Share on other sites More sharing options...
James R Posted March 28, 2012 Author Share Posted March 28, 2012 I had one page checkout already selected but when I clicked 'Save' at the bottom of the page and reloaded the order page it worked. But again back to http:// and no SSL so I had a look in phpmyadmin - the value was reset to '0'!! So the BO is resetting this value any time I click save?! Link to comment Share on other sites More sharing options...
Dh42 Posted March 28, 2012 Share Posted March 28, 2012 looking at your screen shot, did you click on the text in the bo and then enable ssl? if so try setting it again. changing carts might reset it. Link to comment Share on other sites More sharing options...
James R Posted March 28, 2012 Author Share Posted March 28, 2012 Changed it again in myadmin and getting the same error again: Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects. :-/ Also I clicked save again after not changing anything in the BO and it reset the SSl Enabled value to 0! Link to comment Share on other sites More sharing options...
James R Posted March 28, 2012 Author Share Posted March 28, 2012 Just thinking I did recently set up a new redirect in my htaccess file to make sure all urls we're directed to 'www.rubycotton.com' if they typed in 'rubycotton.com'. Could this be causing an issues? I could generate a new htaccess file? Link to comment Share on other sites More sharing options...
Dh42 Posted March 28, 2012 Share Posted March 28, 2012 I do not think it would, but it would not hurt to try it. Link to comment Share on other sites More sharing options...
James R Posted March 28, 2012 Author Share Posted March 28, 2012 Didn't make a difference. Link to comment Share on other sites More sharing options...
Dh42 Posted March 28, 2012 Share Posted March 28, 2012 So every time you enable it in the db or the back office, it un-enables itself? I think there is a current thread about that in this forum. Link to comment Share on other sites More sharing options...
James R Posted March 28, 2012 Author Share Posted March 28, 2012 So every time you enable it in the db or the back office, it un-enables itself? I think there is a current thread about that in this forum. Yes everytime I enable it via phpmyadmin and then go and click save in the BO - it resets. I am unable to enable or disable it directly in the BO as you can see from the image I attached previously. Very frustrating, I'll look for that thread! Link to comment Share on other sites More sharing options...
James R Posted March 28, 2012 Author Share Posted March 28, 2012 I've removed the SSL patches and made the change just added here: http://www.prestashop.com/forums/topic/155662-critical-ssl-bug-in-ps-147-fix-inside/page__st__40 Looks like it was his fix that caused the initial problem. Now if I enable SSL in the db then go into the store to process an order as soon as I get to: https://www.rubycotton.com/modules/paypal/payment/submit.php or the sagepay order page I get the Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects. So to summarize: my store's payment modules are both not working with SSL enabled. With it disabled by me or by the bug in the BO the paypal module will not work but Sagepay will. What a mess! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now