Monday, July 8, 2013

Prestashop persistent XSS and CSRF vulnerability

Continuing to test Prestashop security I just found out a vulnerability on the latest version (and maybe prior versions).
Logistician, translators and other low level profiles/accounts could inject a persistent XSS vector on TinyMCE to affect users and even admins.
This is possible due to a flaw on TinyMCE which doesn't filter some events (blocks only a couple of them) on HTML.

Proof-of-concept on a combined CSRF attack (logged in as logistician):
On a CMS page, enter the following HTML in TinyMCE (on HTML mode) <img onmouseover="window.location.href = 'http://www.website-example.pt/loja/admin9050/index.php?logout'" src="x" alt="" />
When the admin hover the image, he will automatically logout from the admin panel.
With a little imagination this issue can be used to spread malware or grab users credentials (popping up a screen to login) to visitors, authenticated users or even admins. (CVE-2013-4791)




Also logout GET request should also have a token protection. Just to prevent CSRF attacks. (CVE-2013-4792)

Keep in mind that the latest version of TinyMCE it's patched against this issue.
By the way I tested under PrestaShop 1.5.4.1.

Prestashop developing team replied:
We have fixed this problem in our 1.4.11 release, and we will also put this patch in our next 1.5 release before the end of July.
Timeline:
05 Jun 2013: Reported to Prestashop
11 Jun 2013: Replied that their team were working on it
02 Jul 2013: Prestashop released a fix to this issue
08 Jul 2013: Full disclosure

4 comments:

  1. Hi David,
    Thanks for sharing. I just wondering, according to your experience, which shopping cart is most secure? I'm not saying unbreakable, but which one is less hackable?
    Thanks,
    John

    ReplyDelete
    Replies
    1. Hi John,

      Well it all depends on your needs. I like Prestashop. They really care about security. They've a good team and fast support.

      Shopify for example, they just discarted a few security issues I found. In my opinion that shows me that they don't care about clients security.

      Keep in mind that you must also secure your host and apply good security practises.

      Regards,
      David

      Delete
  2. Hi David,
    Thank you for your kindly. I am looking for a cart. There are some that I would like to try. But at this point, I just look at Prestashop and CS-Cart. Do you ever see the CS-Cart security hole? Sorry to ask you one more time.

    ReplyDelete
    Replies
    1. I don't think I tested CS-Cart. Maybe in the future!
      Usually I test only what my clients use.

      Delete