Jump to content

Prestashop Security Scan Results


James R

Recommended Posts

Hi there,

 

I used an online security checking application yesterday to scan my Prestashop 1.3.1 install a thorough check. It came back with two 'High Risk' findings:

 

 

XSS vector in document body (In-Body) (1)

 

Vulnerable URL's found:

https://www.mywebsite.com/authentication.php

Scan Message: injected syntax in JS/CSS code

 

Server Request Details:

POST /authentication.php HTTP/1.1
Host: www.mywebsiten.com
Accept: */*
Accept-Language: en,en-US;q=0.5
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; SF/2.02b)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Range: bytes=0-199999
Referer: https://www.mywebsite.com/
Cookie: 177007dc5024ff546179f25344426a2c=6lT%2Fj%2B5rG4Y%3DPGUkqjdjsq0%3D8x2vaoF%2FYuU%3DYgQYtpReVHQ%3DTnfrKBbiLe8%3DILw7kfNp37Y%3DPWl092xt6bM%3DvpkxzpcDDnE%3DZBIjgGNNOqI%3DD%2Bn%2FjfANd8E%3DF6BSXGVWf2w%3DJwq6mphN%2B9Y%3DyotUkDOl4Dg%3D44nIZ4XyxRo%3DfGQaRMKMR0Y%3DldtdIVmGGjI%3Dxdjshpz51ak%3DaWMQjinyLpY%3D
Content-Type: application/x-www-form-urlencoded
Content-Length: 414
id_gender=3&customer_firstname=John&customer_lastname=Smith&[email protected]&passwd=golem&days=1&months=1&years=2010&newsletter=on&company=ACME&firstname=John&lastname=Smith&address1=1&address2=1&city=Mountain%20View&postcode=000&id_country=US&id_state=CA&other=1&phone=6505550100&phone_mobile=6505550100&alias=My%20address&dni=.htaccess.aspx-->">'>'"<sfi000579v486672>&email_create=1&submitAccount=Register

 

Incorrect caching directives (higher risk) (1)

 

Vulnerable URL's found:

https://www.mywebsite.com/

Scan Message: implicitly cacheable \x27Set-Cookie\x27 response

 

Server Request Details:

GET / HTTP/1.1
Host: www.mywebsite.com
Accept: */*
Accept-Language: en,en-US;q=0.5
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; SF/2.02b)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Range: bytes=0-199999
Referer: http://www.rubycotton.com/
Cookie: 177007dc5024ff546179f25344426a2c=6lT%2Fj%2B5rG4Y%3DPGUkqjdjsq0%3D8x2vaoF%2FYuU%3DYgQYtpReVHQ%3DTnfrKBbiLe8%3DILw7kfNp37Y%3DPWl092xt6bM%3DvpkxzpcDDnE%3DZBIjgGNNOqI%3DD%2Bn%2FjfANd8E%3DF6BSXGVWf2w%3DJwq6mphN%2B9Y%3DyotUkDOl4Dg%3D44nIZ4XyxRo%3DfGQaRMKMR0Y%3DldtdIVmGGjI%3Dxdjshpz51ak%3DaWMQjinyLpY%3D 

 

Has anyone else come across these issues before and is there a way to fix them? Planning an upgrade this week so this coule potential solve these problems?

 

Thanks,

James</sfi000579v486672>

Link to comment
Share on other sites

  • 2 weeks later...

In your preferences >> Seo do you have a https:// before your secure url? Also I am guessing you have ssl turned on in the bo.

 

In this section below? I just had the url starting with 'www':

 

'

Shop domain name for SSL:

www.rubycotton.com

'

 

 

I just tested changing it to '

Shop domain name for SSL: https://

www.rubycotton.com

'

and my homeslidehow module stopped working but the ssl seems to be kicking it although it's not writing the correct url: 'http://https//www.rubycotton.com/order.php'

 

RE SEO turned on in BO - I there's no radio box for me to select to confirm it's on, it's missing. I just have a link that seems to do nothing when clicked. (see screengrab)

 

 

 

also on a side note are you comfortable using phpmyadmin?

 

Yes!

post-95426-0-38647300-1332935191_thumb.png

Link to comment
Share on other sites

Does that mean the ssl worked like it was supposed to, but broke the slide show? Ok, in your db go to ps_configuration. SSL Enabled should be set to 1, it should be id_configuration 27

 

Yeah I think so but the url that it was using for the SSL areas was funny and resulted in a broken link.

 

Ah ha, forgot it could be turned on from phpmyadmin! Ok it was on '0' so I've changed it to '1'.

 

Something's happening, it's directing to the https:

 

https://www.rubycotton.com/order.php

 

BUT throwing an error:

 

 

This webpage has a redirect loop

The webpage at https://www.rubycotton.com/order.php has resulted in too many redirects. Clearing your cookies for this site or allowing third-party cookies may fix the problem. If not, it is possibly a server configuration issue and not a problem with your computer.

Here are some suggestions:

Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects.

 

Could this be from the patches applied already?

Link to comment
Share on other sites

I had one page checkout already selected but when I clicked 'Save' at the bottom of the page and reloaded the order page it worked. But again back to http:// and no SSL so I had a look in phpmyadmin - the value was reset to '0'!!

 

So the BO is resetting this value any time I click save?!

Link to comment
Share on other sites

Changed it again in myadmin and getting the same error again: Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects. :-/

 

Also I clicked save again after not changing anything in the BO and it reset the SSl Enabled value to 0!

Link to comment
Share on other sites

Just thinking I did recently set up a new redirect in my htaccess file to make sure all urls we're directed to 'www.rubycotton.com' if they typed in 'rubycotton.com'.

 

Could this be causing an issues? I could generate a new htaccess file?

Link to comment
Share on other sites

So every time you enable it in the db or the back office, it un-enables itself? I think there is a current thread about that in this forum.

 

Yes everytime I enable it via phpmyadmin and then go and click save in the BO - it resets. I am unable to enable or disable it directly in the BO as you can see from the image I attached previously.

 

Very frustrating, I'll look for that thread!

Link to comment
Share on other sites

I've removed the SSL patches and made the change just added here: http://www.prestashop.com/forums/topic/155662-critical-ssl-bug-in-ps-147-fix-inside/page__st__40

 

Looks like it was his fix that caused the initial problem.

 

Now if I enable SSL in the db then go into the store to process an order as soon as I get to: https://www.rubycotton.com/modules/paypal/payment/submit.php or the sagepay order page I get the Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects.

 

 

So to summarize: my store's payment modules are both not working with SSL enabled. With it disabled by me or by the bug in the BO the paypal module will not work but Sagepay will.

 

What a mess!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...