Wednesday, November 7, 2012

PrestaShop <= 1.5.1 Persistent XSS

When installing and analyzing PrestaShop on a secure environment I discovered that it's possible to bypass isCleanHtml() function, used in many places, in this case in particular the Contact Form. 
A user could use this vulnerability, a Persistent Cross-site Scripting, to execute malicious payloads on admins message box.

Proof of concept:
In the message field a user could write:
<embed src='data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIndlYnNlZ3VyYS5uZXQgeHNzIik7PC9zY3JpcHQ+PC9zdmc+' type='image/svg+xml' AllowScriptAccess='always'></embed>
Both Base64 strings are mainly alert() encoded. Those XSS vectors bypass the filter on isCleanHtml() and execute automatically when the admin check the messages on the admin area. This is critical and could be used to implement very bad scenarios. Keep in mind that on some webmail variations, the code is also executed. A user can even play with heading h1 and other HTML on message box.
<a href="#" target="_blank"><img src="" width="800px" height="600px" border="0" /></a>
<a href="#" target="_blank" style="font-size: 30px">Click here</a>
Again, encoding with Base64 could also obfuscate a little bit. I think that in this case in particular, HTML should be stripped out because it has no meaning in my opinion on the contact form. Solution: Vendor reported that upgrading PrestaShop to version 1.5.2 will fix admins message box bug. HTML on email accounts still a possibility in the latest version. According to the vendor, it will be fixed on the next version.