DEFTCODE( 2 )

GPG - 2048R/6D378CAF

Prestashop 1.6.0.6 - DOM based Cross-site Scripting

The version 1.6.0.6 of Prestashop is vulnerable to DOM Based XSS, the page location at /index.php?controller=stores show you the locations of the stores, this feature can be enabled from the admin panel by Preferences / Store Contacts.

Vulnerable function is stored in the Core JS cached version (see stores.js)

snippet:

function searchLocations()
{
  $('#stores_loader').show();
  var address = document.getElementById('addressInput').value;
  var geocoder = new google.maps.Geocoder();
  geocoder.geocode({address: address}, function(results, status) {
    if (status === google.maps.GeocoderStatus.OK)
      searchLocationsNear(results[0].geometry.location);
    else
    {
      if (!!$.prototype.fancybox)
        $.fancybox.open([
        {
          type: 'inline',
          autoScale: true,
          minHeight: 30,
          content: '<p class="fancybox-error">' + address + ' ' + translation_6 + '</p>'
        }
        ], {
          padding: 0
        });
      else
        alert(address + ' ' + translation_6);
    }
    $('#stores_loader').hide();
  });
}

The variable address is not properly sanitized, therefore a Cross-site Scripting can be executed by injecting a simple vector like that:

<input value=alert(1) autofocus>

Example demostration screen in Prestashop online Demo

Prestashop Demo XSS

Disclosure: