Thursday, April 19, 2012

PrestaShop 1.3.3 Cross-Site Scripting (XSS) Vulnerability

Description
PrestaShop is an e-commerce solution which is free and open source. It supports payment gateways such as Google Checkout, Authorize.net, Skrill, PayPal and Payments Pro via API. Further payment modules are offered commercially.

Sow Ching Shiong, an independent vulnerability researcher has identified a Cross-Site Scripting vulnerability in PrestaShop. This issue was discovered in a default installation of PrestaShop 1.3.3. Other earlier versions may also be affected.


Proof of concept
http://[target]/[path]/search.php?'"--></style></script><script>alert(1)</script>



Solution
Update to version 1.3.4 or later.

References

Vendor URL: http://www.prestashop.com/en/developers-versions/changelog/1.3.4.0
Secunia: http://secunia.com/advisories/42503/

Disclosure Timeline
2010-12-06 - Vulnerability discovered.
2010-12-06 - Vulnerability reported to Secunia.
2010-12-10 - Secunia confirmed the vulnerability and contacted the vendor.
2010-12-22 - Patch released.
2010-12-22 - Advisory published by Secunia.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.