Prestashop Security Scan Results

[James R]

Hi there,

 

I used an online security checking application yesterday to scan my Prestashop 1.3.1 install a thorough check. It came back with two 'High Risk' findings:

 

 

XSS vector in document body (In-Body) (1)

 

Vulnerable URL's found:

https://www.mywebsite.com/authentication.php

Scan Message: injected syntax in JS/CSS code

 

Server Request Details:

POST /authentication.php HTTP/1.1
Host: www.mywebsiten.com
Accept: */*
Accept-Language: en,en-US;q=0.5
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; SF/2.02b)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Range: bytes=0-199999
Referer: https://www.mywebsite.com/
Cookie: 177007dc5024ff546179f25344426a2c=6lT%2Fj%2B5rG4Y%3DPGUkqjdjsq0%3D8x2vaoF%2FYuU%3DYgQYtpReVHQ%3DTnfrKBbiLe8%3DILw7kfNp37Y%3DPWl092xt6bM%3DvpkxzpcDDnE%3DZBIjgGNNOqI%3DD%2Bn%2FjfANd8E%3DF6BSXGVWf2w%3DJwq6mphN%2B9Y%3DyotUkDOl4Dg%3D44nIZ4XyxRo%3DfGQaRMKMR0Y%3DldtdIVmGGjI%3Dxdjshpz51ak%3DaWMQjinyLpY%3D
Content-Type: application/x-www-form-urlencoded
Content-Length: 414
id_gender=3&customer_firstname=John&customer_lastname=Smith&[email protected]&passwd=golem&days=1&months=1&years=2010&newsletter=on&company=ACME&firstname=John&lastname=Smith&address1=1&address2=1&city=Mountain%20View&postcode=000&id_country=US&id_state=CA&other=1&phone=6505550100&phone_mobile=6505550100&alias=My%20address&dni=.htaccess.aspx-->">'>'"<sfi000579v486672>&email_create=1&submitAccount=Register

 

Incorrect caching directives (higher risk) (1)

 

Vulnerable URL's found:

https://www.mywebsite.com/

Scan Message: implicitly cacheable \x27Set-Cookie\x27 response

 

Server Request Details:

GET / HTTP/1.1
Host: www.mywebsite.com
Accept: */*
Accept-Language: en,en-US;q=0.5
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; SF/2.02b)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Range: bytes=0-199999
Referer: http://www.rubycotton.com/
Cookie: 177007dc5024ff546179f25344426a2c=6lT%2Fj%2B5rG4Y%3DPGUkqjdjsq0%3D8x2vaoF%2FYuU%3DYgQYtpReVHQ%3DTnfrKBbiLe8%3DILw7kfNp37Y%3DPWl092xt6bM%3DvpkxzpcDDnE%3DZBIjgGNNOqI%3DD%2Bn%2FjfANd8E%3DF6BSXGVWf2w%3DJwq6mphN%2B9Y%3DyotUkDOl4Dg%3D44nIZ4XyxRo%3DfGQaRMKMR0Y%3DldtdIVmGGjI%3Dxdjshpz51ak%3DaWMQjinyLpY%3D 

 

Has anyone else come across these issues before and is there a way to fix them? Planning an upgrade this week so this coule potential solve these problems?

 

Thanks,

James</sfi000579v486672>

[Dh42]

You are several versions behind the latest stable release. You should update your shop.

[James R]

You are several versions behind the latest stable release. You should update your shop.

 

It's been updated now and yet again I face SSL issues:

 

http://www.prestashop.com/forums/topic/155662-critical-ssl-bug-in-ps-147-fix-inside/

 

[Dh42]

Once that patch is applied the issue is no longer a problem.

[James R]

I've tried both fixes and neither have solved the SSL issue.

[Dh42]

link to your site?

[James R]

I've issued a bug on it: http://forge.prestashop.com/browse/PSCFI-5279

 

Website: www.rubycotton.com

 

[Dh42]

In your preferences >> Seo do you have a https:// before your secure url? Also I am guessing you have ssl turned on in the bo.

[Dh42]

also on a side note are you comfortable using phpmyadmin?

[James R]

In your preferences >> Seo do you have a https:// before your secure url? Also I am guessing you have ssl turned on in the bo.

 

In this section below? I just had the url starting with 'www':

 

'

Shop domain name for SSL:

www.rubycotton.com

'

 

 

I just tested changing it to '

Shop domain name for SSL: https://

www.rubycotton.com

'

and my homeslidehow module stopped working but the ssl seems to be kicking it although it's not writing the correct url: 'http://https//www.rubycotton.com/order.php'

 

RE SEO turned on in BO - I there's no radio box for me to select to confirm it's on, it's missing. I just have a link that seems to do nothing when clicked. (see screengrab)

 

 

 

also on a side note are you comfortable using phpmyadmin?

 

Yes!

[Dh42]

Does that mean the ssl worked like it was supposed to, but broke the slide show? Ok, in your db go to ps_configuration. SSL Enabled should be set to 1, it should be id_configuration 27

[James R]

Does that mean the ssl worked like it was supposed to, but broke the slide show? Ok, in your db go to ps_configuration. SSL Enabled should be set to 1, it should be id_configuration 27

 

Yeah I think so but the url that it was using for the SSL areas was funny and resulted in a broken link.

 

Ah ha, forgot it could be turned on from phpmyadmin! Ok it was on '0' so I've changed it to '1'.

 

Something's happening, it's directing to the https:

 

https://www.rubycotton.com/order.php

 

BUT throwing an error:

 

 

This webpage has a redirect loop

The webpage at https://www.rubycotton.com/order.php has resulted in too many redirects. Clearing your cookies for this site or allowing third-party cookies may fix the problem. If not, it is possibly a server configuration issue and not a problem with your computer.

Here are some suggestions:

• Reload this webpage later.
  
• Learn more about this problem.
  

Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects.

 

Could this be from the patches applied already?

[Dh42]

try this http://www.prestashop.com/forums/topic/162041-solved-this-web-page-has-a-redirect-loop/

[James R]

I had one page checkout already selected but when I clicked 'Save' at the bottom of the page and reloaded the order page it worked. But again back to http:// and no SSL so I had a look in phpmyadmin - the value was reset to '0'!!

 

So the BO is resetting this value any time I click save?!

[Dh42]

looking at your screen shot, did you click on the text in the bo and then enable ssl? if so try setting it again. changing carts might reset it.

[James R]

Changed it again in myadmin and getting the same error again: Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects. :-/

 

Also I clicked save again after not changing anything in the BO and it reset the SSl Enabled value to 0!

[James R]

Just thinking I did recently set up a new redirect in my htaccess file to make sure all urls we're directed to 'www.rubycotton.com' if they typed in 'rubycotton.com'.

 

Could this be causing an issues? I could generate a new htaccess file?

[Dh42]

I do not think it would, but it would not hurt to try it.

[James R]

Didn't make a difference.

[Dh42]

So every time you enable it in the db or the back office, it un-enables itself? I think there is a current thread about that in this forum.

[James R]

So every time you enable it in the db or the back office, it un-enables itself? I think there is a current thread about that in this forum.

 

Yes everytime I enable it via phpmyadmin and then go and click save in the BO - it resets. I am unable to enable or disable it directly in the BO as you can see from the image I attached previously.

 

Very frustrating, I'll look for that thread!

[James R]

I've removed the SSL patches and made the change just added here: http://www.prestashop.com/forums/topic/155662-critical-ssl-bug-in-ps-147-fix-inside/page__st__40

 

Looks like it was his fix that caused the initial problem.

 

Now if I enable SSL in the db then go into the store to process an order as soon as I get to: https://www.rubycotton.com/modules/paypal/payment/submit.php or the sagepay order page I get the Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects.

 

 

So to summarize: my store's payment modules are both not working with SSL enabled. With it disabled by me or by the bug in the BO the paypal module will not work but Sagepay will.

 

What a mess!