Somebody sending out spam using the send to a friend module

[Argon2]

I have a hacker who is sending out spam using the "send to a friend" module.

Somehow he is also inserting a spam message in the "send to a friend" mails

 

So there must be a security hole in that module...

 

Example IIS log:

2016-06-26 10:26:21 W3SVC26 <MY.WEBSERVER.IP.HERE> POST /modules/sendtoafriend/sendtoafriend_ajax.php rand=1466666329816 80 - 112.198.79.231 Mozilla/4.0+(compatible;+MSIE+9.0;+Windows+NT+6.1) http://www.websiteurl.com/modules/sendtoafriend/sendtoafriend_ajax.php?rand=1466666329816 200 0 0 513 1179 1812

 

What do I do? 

 

I already blocked his IP address on the firewall, but that doesn't solve the security issue in the send to a friend module...

 

Thanks.

Kris.

 

Update:
Renaming the php files (to .bak) of the "send to a friend" module has effectively stopped the spam being sent. 

Disabling and uninstalling that module using the prestashop backend was not sufficient!!! The module files remain on the webserver even after uninstalling the module in the backend.

So I can now confirm with certainty that the "send to a friend" module has some kind of security issue that enables the sending of spam.

Edited June 26, 2016 by Argon2 (see edit history)

[Argon2]

Do you know of an alternative "send to a friend" module for prestashop?

I did a search in the modules section on the prestashop website, but couldn't find an alternative.

 

My client would like to keep offering this feature on his webshop, but of course he doesn't want to be sending out spam

 

Thank you.

Kind regards.

Kris

[BadMath]

As another victim of this exploit, I can say the lack of a CAPTCHA is an inexcusable omission, but is not even the primary issue here.  The fact that a faulty module that ships with PrestaShop can be disabled and even uninstalled, yet the code is still directly executable from the modules directory is a major security concern and should be treated as such.

 

In the meantime, all Prestashop users should remove or rename the "modules/sendtoafriend" directory if the module has ever been active.

[bellini13]

uninstalling the module does not remove the modules files from the server.  this is an easy solution, delete the module

[Argon2]

Great tip, I hadn't thought of that yet :-p

[ibser]

Hi

Of course where will be found security holes in a large system like prestashop , BUT is where no where a security bulletin / mail list with warnings about security flaws 

 

I can't sit and read all new forum post just to keep my customers prestashop clean from security holes

[selectshop.at]

As mdekker already told: If you see on your back-office on modules list updates, you should consider to update them !

 

Prestashop only announces on the forum patches for severe security flaws, but not minor one without priorities for modules in use for ex.

[ibser]

Yes i just checked a 1.6 installation and your are right on module list update where was a update for the module (installed v1.8) updated to v 1.9 , no change log or note on the update for what the update is doing , is 1.9 free of the hole ?

 

But as you sure know not all users of Prestashop is looking for modules update, and are not very technical and do not get the modules updated , many of when hire a developer to do things like install modules 

 

I am one of whose developers/freelancer now i would be very nice if i could monitor a list with severe and minor security flaws , not just as a service for the customer but allso in the light of what if we get holes closed on as many prestashop installations as possibly in a very short time , the more hackers are looking else where for where dirty work 

 

I know Prestashop is a open source and i am will happy contribute to creation of a list like what

 

If where is no interest in such a list on prestashop.com i  would like to here from other what wants a list only with news about severe and minor security flaws out of prestashop community i will donate a server for the purpose and allso a spare time developer

Edited July 13, 2016 by ibser (see edit history)

[selectshop.at]

Sorry, but there are official sites (like secunia.com) which handles this. I don't think there is a need to schock/startle/overtax others with such "list". Besides as also you said: "I can't sit and read all new forum post just to keep my customers prestashop clean from security holes". Don't hink that if it is not on official site of Prestashop nobody will care or take a look into that on non-official sites....

 

BUT on your own site, you can make public what you want for YOUR CUSTOMERS....

 

There are several developers (like me) using their own sites for tips and tricks and informing about Prestashop development. You can for ex. start one for your customers, if you feel that they are more confident on your services...

[ibser]

I think we misunderstand each other , i was asking for  this <Sorry, but there are official sites which handles this >

 

BTW your attitude is not very friendly , maybe its just me reading you wrong , but i settle my case here on this forum

[selectshop.at]

@ ibser - We should make it short: there must be a reason why Prestashop does not put a priority to this. I tried to explain the reasons for you, from my point of view. Nevertheless if you feel that there is a lack of information on this for the customers YOU are supporting, you are free to inform what you want on your own page. This is what I'm doing and other developers too....

 

It was only and advice how YOU can manage this point better, not a critic and also not to be "unfriendly"... Forums are there for to discuss several point of views, or not ? To learn from others ?

 

As you know, it is a task of each oneself using software (paid or OS) to keep it actual for to avoid possible security flaws... Neither Microsoft, or other big software will inform you about security problems. They simply send you info, that there is a upgrade available. This is also what Prestashop is doing....

[dpb-andorra]

Hi.

 

I had the same problem with the module sendtoafriend.

 

First I was advised that there was a module being used to spam. Locate the module sendtoafriend and eliminated.

 

Yet the administration took too long to load and did not understand why. In the logs still calls are appearing:

 

POST /modules/sendtoafriend/sendtoafriend_ajax.php?rand=1468311826965

 

Review the directories and were still being remains of sendtoafriend and eliminated.

 

Even in the log are still appearing calls me to:

 

POST /modules/sendtoafriend/sendtoafriend_ajax.php?rand=1468311826965

 

Anyone know how to stop this nightmare.

 

Thank you.

[ibser]

Hi dpb-andorra

When uninstall the module from the admin backend it is still located on the disk '

 

My solution was to uninstall from admin backend and ftp or what you use and delete the module total from the system (dir and files)

[surferboy]

Secure the module with a captcha: https://github.com/firstred/mpsendtoafriend/releases

 

No captcha response = no processing, so that saves your server some processing power.

 

You can also protect the product reviews module if you like: https://github.com/firstred/mpproductcomments/releases

 

Hi -

 

I am kind of a bull in a china shop when it comes to tech administration.

 

I downloaded the firs zip file you had in this link, under 1.1.2:

https://github.com/firstred/mpsendtoafriend/releases

 

Then I tried to add the module to my prestashop installation acp.  Got an error.

 

I tried again, after reenabling the send a link module.  This time it added the module.  Then I installed the module.  Now there are two modules - see the attached prinstcreen.  Do I need to uninstall the old one?

 

 

Thanks,

Brian

[surferboy]

update - there is no reCAPTCHA field appearing on the form for the send a link to a friend.  

 

any ideas?

[creasolstore]

Altough captch is really needed, I've posted a solution that uses fail2ban to put IP address that try to send many messages in blacklist (iptables firewall).

Click on https://www.prestashop.com/forums/topic/540520-send-to-friend-module-gets-spam/?do=findComment&comment=2399413

[El Patron]

we have issues with newsletter module....this we could tell from returned emails...still have not had time to sort it out...but stopped after disabling newsletter.

[Bolonia]

I have a hacker who is sending out spam using the "send to a friend" module.

Somehow he is also inserting a spam message in the "send to a friend" mails

 

So there must be a security hole in that module...

 

Example IIS log:

2016-06-26 10:26:21 W3SVC26 <MY.WEBSERVER.IP.HERE> POST /modules/sendtoafriend/sendtoafriend_ajax.php rand=1466666329816 80 - 112.198.79.231 Mozilla/4.0+(compatible;+MSIE+9.0;+Windows+NT+6.1) http://www.websiteurl.com/modules/sendtoafriend/sendtoafriend_ajax.php?rand=1466666329816 200 0 0 513 1179 1812

 

What do I do? 

 

I already blocked his IP address on the firewall, but that doesn't solve the security issue in the send to a friend module...

 

Thanks.

Kris.

 

Update:

Renaming the php files (to .bak) of the "send to a friend" module has effectively stopped the spam being sent. 

Disabling and uninstalling that module using the prestashop backend was not sufficient!!! The module files remain on the webserver even after uninstalling the module in the backend.

So I can now confirm with certainty that the "send to a friend" module has some kind of security issue that enables the sending of spam.

Hi where i can see this logs? Thx alot!

Jon

[selectshop.at]

Hi where i can see this logs? Thx alot!

Jon

As written before: IIS logs - so server logs.In this case it is a Windows server (IIS) but also on Linux servers you can read logs, if you have access to them. Ask your hosting provider, where and if you can access the logs.

[genweb]

Does anyone knows if this is fixed in 1.7? I cannot see the module there.

[doekia]

Does anyone knows if this is fixed in 1.7? I cannot see the module there.

 

Hence it is fixed. The backdoor is not related to the core but to the module it-self, no module, no backdoor

[genweb]

Hence it is fixed. The backdoor is not related to the core but to the module it-self, no module, no backdoor

Good to hear, thanks!

[doekia]

Purge your mail server queue entirely, analyse your logs, find the true channel they use to spam, identify the backdoors, identify the breach used to implement the new set of backdoor, close both and perform a full code review for yet undiscovered backdoor.

Change your superadmin access (most your access credential could have been leaked btw)

Time consuming, boring, but no other choice.

Worst, if you don't do that you will probably migrate on update the code they use to sneak inside your system.

 

PS: The module is sendtoafriend, not newsletter !!

Edited May 19, 2017 by doekia (see edit history)

[doekia]

assuming they use the regular contact form, u need to implement some captcha or the like.

If captcha is override based you should be immediatly set.

If it is a submit button hijack, you need to implement the correct RewriteRule to prevent sending to the "legacy" controller

[doekia]

You can probable use this http://area51.enter-solutions.com/snippets/74

[endriu107]

If you have problem with spam check this topic: https://www.prestashop.com/forums/topic/610111-spam-via-my-ecommerce-shop/