v1.7x-v8x-v9x One Page Checkout & Social Login – PayPal, Stripe, COD v.2.9.4
- Thread starter vivozivo
- Start date
Thank you very much for sharing this module - but old
Guys, this module is downloaded from Prestashop addons, (documentation is also attached) so Presta (ETS developer) is tracking.
Seriously, did you think that you can use module for free without nulling?
__________________________________
Test it and if you are satisfied, purchase from developer.
It is a matter of shop security.
Seriously, did you think that you can use module for free without nulling?
File was not touched, this is mean that v.9 Prestashop is collecting info about installation. (info file become present in modules compatibles with Prestashop 9. and placed into the ZIP file when the file is downloaded (download date is date when this .info file is created))
__________________________________
Test it and if you are satisfied, purchase from developer.
It is a matter of shop security.
Seriously, did you think that you can use module for free without nulling?
__________________________________
Test it and if you are satisfied, purchase from developer.
It is a matter of shop security.
Post automatically merged:
Guys, this module is downloaded from Prestashop addons, (documentation is also attached) so Presta is tracking (ETS developer).
Seriously, did you think that you can use module for free without nulling?
File was not touched, this is mean that v.9 Prestashop is collecting info about installation. (info file become present in modules compatibles with Prestashop 9. and placed into the ZIP file when the file is downloaded (download date is date when this .info file is created))
__________________________________
Test it and if you are satisfied, purchase from developer.
It is a matter of shop security.
Post automatically merged:
read previous message
Last edited:
Tested. Works very well as I intended to. Thanks
Thanks for your reply.
But the wierd thing is the content of the file "ets_onepagecheckout/views/templates/hook/frontJs.tpl"
You can see it below.
Its not Prestashop standard, and it's strange if the module was approved by the PS Marketplace with such code.
JavaScript:
<script type="text/javascript">
(function() {
var redirectUrl = '{$ets_opc_link_back nofilter}' || '/moje-konto';
if (window.opener) {
// Desktop popup → gửi message về parent
window.opener.postMessage(
{ type: 'OAUTH_COMPLETE', redirect: redirectUrl },
'https://zdrowylab.pl'
);
try { window.close(); } catch(e) {}
} else {
// Mobile → không có opener, redirect trực tiếp
window.location.href = redirectUrl;
}
})();
</script>
Redirection to the domain https://zdrowylab.pl is NOT normal, expected or correct functionality.
This is a SERIOUS problem in the module → most likely a hard-coded developer test domain
Here's why:
1. The Social Login module uses a popup flow to perform OAuth authentication (Google, Facebook, etc.).
At the end of the process, the popup sends the result to the parent window.
2. In normal modules, the target domain is dynamically set according to your shop. It should NEVER be a hard-coded foreign domain.
3. This script has a LOCKED domain:
window.opener.postMessage(
{ type: 'OAUTH_COMPLETE', redirect: redirectUrl },
'https://zdrowylab.pl'
);
This means that:
- the module sends OAuth results to that domain only
- if your shop is not szrodylab.pl, the popup will not work
- even worse: OAuth data is potentially sent to someone else's domain, which is a serious security flaw
1. Worst case scenario (security issue):
If the module passes authentication data (token, email, user ID), then the third-party domain could intercept it.
2. Most likely scenario (technical error):
During the testing, the developer used his domain szrodylab.pl, so they mistakenly left it hard-coded in the package.
This happens with poorly made Addons modules.
The correct code would be:
window.opener.postMessage(
{ type: 'OAUTH_COMPLETE', redirect: redirectUrl },
window.opener.location.origin
);
or:
window.opener.postMessage(
{ type: 'OAUTH_COMPLETE', redirect: redirectUrl },
'*'
);
or have the server generate your domain dynamically.
Not a foreign and specific URL.
thank you for share this module . . . . . . ..
Thank you very much for sharing this great module!!
Also, it's not allowed to use inline JS like this. Especially since that code have a XSS vulnerability.
And of course its not allowed to use hard coded url's.
Nor is it allowed to use hard coded languages in polish;
var redirectUrl = window.etsOpcOauthData.redirectUrl || '/moje-konto';
"moje-konto" translated to English is "my-account".
Since it breaks so many rules and contain a security breach with XSS vulnerability, I find it hard that this upload comes directly from the PS Marketplace.
Version 2.9.5 on this forum contain the same XSS vulnerability.
So I don't think you can blame the developer for making a mistake.
Here's why:
1. Version 2.9.4 wouldn't be approved by the PS marketplace.
2. If it was approved the developer would most likely been notified and fix the XSS vulnerability in v.2.9.5.
I get the sense that an AI have provided you with the explanation of why your upload contain malicious code.
If I were you, I wouldn't believe that a module with such code was downloaded from Prestashop addons. Since this is not the first time that a module in a .zip file contained an .info file, and as you can see there are other suspicious contents, I still wouldn't believe that I personally didn't download it from an addon.
As a friend of mine tells me, many modules on addons were removed precisely because of such irregularities, (it means the shit is happens) and they are no longer present there. (the list is huge).
It is also best to report such irregularities to the "Friends of Presta" and they will check the code and publish if there is a security risk.
Find more here https://security.friendsofpresta.org/
Last edited:
Did you personally downloaded this module from the PS Marketplace?
It doesn't matter if he downloaded it personally or not from the official presta. What matters is that the module can be tested and all its functionalities do their job. For production, it is dangerous, don't even think about using it because it intercepts payment data, personal data, card data etc So, test and if you like buy. For sure, those lines was not added by developer, my opinion.