Uploaded image for project: 'Prestashop 1.5'
  1. Prestashop 1.5
  2. PSCFV-5204

PrestaShop Persistant XSS vulnerability

    Details

    • Type: Bug
    • Status: Closed
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None
    • Environment:
      Affected browsers: Mozilla Firefox, Google Chrome and Apple Safari latest versions.

      Description

      Hello,
      When installing and analyzing PrestaShop on a secure environment I discovered that it's possible to bypass isCleanHtml() function, used in many places, specially in Contact Form.
      A user could use this vulnerability, a Persistent Cross-site Scripting, to execute malicious payloads on admins message box.

      Proof of concept:
      In the message field a user could write:
      <object data='data:text/html;base64,PHNjcmlwdD5hbGVydCgid2Vic2VndXJhLm5ldC14c3MiKTwvc2NyaXB0Pg=='></object>

      or

      <embed src='data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIndlYnNlZ3VyYS5uZXQgeHNzIik7PC9zY3JpcHQ+PC9zdmc+' type='image/svg+xml' AllowScriptAccess='always'></embed>

      Both Base64 strings are mainly <script>alert()</script> encoded.

      Those XSS vectors bypass the filter on isCleanHtml() and execute automatically when the admin check the messages on the admin area. This is critical and could be used a lot causing bad scenarios.

      Keep in mind that on some webmail variations, the code is also executed. A user can even play with heading <h1> and other HTML on message box.
      I think that in this case in particular, HTML should be stripped out because it has no meaning in my opinion on the contact form. Of course, other solution is to sanitize user input improving the isCleanHtml() function.

      Hope this information helps you guys to keep PrestaShop more secure.
      By the way, nice job on PrestaShop. It's a easy and a reliable CMS to install and maintain. Keep up.

      Best regards,
      David Sopas
      @dsopas

        Attachments

          Activity

            People

            • Assignee:
              rGaillard Rémi GAILLARD
              Reporter:
              dsopas David Sopas
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Zendesk Support