While carrying out research I found out, that the Prestashop framework was not, by default preventing malicious UI-redressing or, Clickjacking attacks.
CSPs with desirable values can also be added as security headers for further protection just in case you need it.
-----------------------
A UI-Redressing/Clickjacking bug was discovered in all versions of Prestashop that affects both User and Admin interfaces.
This maybe leveraged to perform unintended state changing operations by hijacking only few clicks of an authenticated user/admin.
Discoverer - Arif Khan
CVE ID - CVE-2018-7491
Product -Prestashop (all versions)
How common/prevalent is this vulnerability?
Almost all Prestashop instances don't prevent Clickjacking attacks. So attack surface is huge undoubtedly. This isn't a remote attack vector though, and hence, needs some user interaction. However, exploiting it is easy and the victim user hardly realises that (s)he had been subjected to an attack.
UI-redressing Attack Against Prestashop
Clickjacking PoC for demonstration purpose -
<script language=JavaScript> function ScrollDown() { window.scrollBy(0,10); //set your scroll value scrolldelay = setTimeout('pageScroll()',100); //time value } window.onload=ScrollDown; </script> <iframe src="TARGET_PRESTASHOP_INSTANCE> //set property
This is just a demonstration for various attack scenarios. But ever thought about how malicious this can turn into? Maybe, we aren't aware of it being exploited in the wild as of yet, users are often led into traps through various malicious advertisement campaigns, that take advantage of this type of vulnerabilites to make profit.
Impact
What does an attacker gain from it?
I would restrain myself from delving deeper into this part since countless Prestashop instances till date are vulnerable to this attack vector.
Example Scenarios -
- Vertical Privilege escalation - Can we trap an administrator, or, staff of the Prestashop instance into clicking, and performing an unintended action that brings about a business loss, or, a profit to us, either ways it's a win-win for the attacker. The admin can be tricked into making unintended price cuts, add other users, change values and perform various harmful actions.
- Lateral Privilege Escalation - From the user point of view, let's suppose a scenario in which a certain user is forced to change his account details from the account section, or, even worse, made to execute a self-XSS. Various attack vectors exist, not all are worth mentioning, but combining all these factors, we can achieve a malicious exploit chain to improve our post-exploit discovery attack methods.
- Phishing - This can be done efficiently and extends into a wide array of attack vectors. User can find the Prestashop instance embedded in Iframe responsive and functioning as the original application would have to him. Thus, attacker can keylog victim's keystrokes, observe his browsing habits from a competitive e-commerce edge and so on...
Further, I can think of countless ways to exploit this. Should we go deeper? Yes! Because, for e-commerce applications security is of prime importance.
Suggested Fix
This pull request - https://github.com/PrestaShop/PrestaShop/pull/8807 appears to fix this security issue by implementing a header function adding in the XFO secruity header, I suggest editable CSPs, but okay, this should work nevertheless -
header('X-Frame-Options: SAMEORIGIN');
A call made to the header function makes the server return the XFO headers set with SAMEORIGIN value that prevents frame embedding of the rpestashop instance outside the origin domain.
I also suggest adding a frame-busting script to act as a better second line of defence for this who might need it -
Implementation of window.confirm -
<script type="text/javascript">
var action_confirm = window.confirm("Are you sure you want to delete your youtube account?")
if (action_confirm) {
//... perform action
} else {
//... The user does not want to perform the requested action.
}
</script>
CSPs with desirable values can also be added as security headers for further protection just in case you need it.
-----------------------
Advisory
This maybe leveraged to perform unintended state changing operations by hijacking only few clicks of an authenticated user/admin.
Discoverer - Arif Khan
CVE ID - CVE-2018-7491
Product -Prestashop (all versions)
![[Advisory] Unpatched URL Address Bar Spoofing Vulnerability in UC Browser 12.11.2.1184 and UC Browser Mini 12.10.1.1192: With the same old one-liner payload...](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_txvZajNype_lvXNvF9GkmRJjM2da6YoV26Kwl5ow47y0xAY8V4bliMsIgtgDp1R93e8t37ZohCgTo8kpQsK124zFYLOePJKBiht14)
![[Unpatched Vulnerability] CVE-2019-11015: Lock Screen Auth Bypass leading to Sensitive Information Disclosure and an Improper Access Control issue in Xiaomi MIUI OS (latest stable releases affected)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTWuUwOC0fUHoytTGa-kGKCdYidVNZ7YMLN9cmoHUzF1Bo8wENaJOgkw5bLHPVGGfedNUJ41_-wbjI1Y8SavrUxZ-dWo6c9AzkNUzQLqsRupjfAdCon9llQCr4AAID_1h5q-iO4150P9XL/s72-c/IMG_20190410_131425.jpg)
An independent security researcher.
No comments:
Post a Comment
Let me know what you felt after reading the article!