Antoine F Posted July 22, 2016 Share Posted July 22, 2016 Hello everyone, The last few weeks have seen security issues arise in PrestaShop ecosystem, due to serious flaws in some popular modules and themes. The latest versions of PrestaShop do not have known security issues. We’ve created this thread to centralize the current available information. Feel free to share your tips, and most importantly: UPGRADE YOUR INSTALLATION! Make sure your modules and your theme is up-to-date! And if you can, upgrade PrestaShop to the latest and safest version: PrestaShop 1.6.1.6. The Warehouse theme Warehouse is a very popular theme, sold through the ThemeForest marketplace (not available on PrestaShop Addons). But while the latest version (3.8.1, released July 19th) is safe, older version have modules which contain a serious security flaw. The initial security fix was released on June 18th, with version 3.7.7. The initial issue was with the theme’s own Image Banners module. Other modules included with the Warehouse theme appear to be problematic. In all, the community has given feedback about the following Warehouse-included modules: Simpleslideshow Columnadverts Homepageadvertise Productpageadverts The author has quickly released issues, and also posted a thorough article on how to check your store and clean it, and contacted the people who bought this theme. Community member Lesley Paone, from Dh42, has published his own article, which includes a hotfix script to help you clean your installation. Problematic modules The community also gave us feedback about the following modules: Advancedslider Attributewizardpro Columnadverts Homepageadvertise Homepageadvertise2 Productpageadverts Videostab vtermslidesshow While we can’t confirm that all of them are related with these issues, you should double-check your store and see if you use the latest version of each of these modules. Attribute Wizard Pro module The community-created Attribute Wizard Pro module was found to be flawed. It has been fixed by the author on July 9th, and we strongly advise you to update yours to its latest version, v1.7.14. VTEM Slideshow module The community-created VTEM Slideshow module also suffers from a serious security flaw. We currently have no way of knowing whether it has been fixed or not. Abandoned Cart Reminder Pro module An Addons-created module was found to be vulnerable, and was fixed last week. It was put offline by the Addons team as soon as we learned about the issue, and is back online now that it is fixed it. In addition to that, Addons customers who bought the module received an e-mail notification about the security optimization. Send to a Friend module While not being a security issue per-se, the native Send to a Friend module, which is included in every version of PrestaShop, was recently found to have an issue which allowed malicious people to spam e-mail addresses using the store’s web server. The issue was fixed thanks to a community member, and a safe version is available since June 2016. The community member in question wrote about it this week. How PrestaShop Addons reacted The Addons team takes security very seriously -- we even have a team member solely dedicated to security. All modules (even module updates) submitted to Addons must pass the PrestaShop Validator automated tests, and Addons developers also check on new modules to make sure they work safely. Even so, sometimes bad code pass our automatic and human filters: that’s what happened with the Abandoned Cart Reminder Pro module above. Luckily, our community has our back and warned us. We have a process for when we learn of a security issue in a module or a theme: Put it offline from Addons. Contact its developer about it. Wait for the developer to fix the issue and release a new version on Addons. Put the addons back online with the fixed issue. Contact all the Addons customers who bought the addon, warning them to update their store’s module. This is exactly the process we followed. A batch e-mail was sent this week, advise customers to update their installation of the Abandoned Cart module. To prevent further issues, we have put offline some modules that seem to prevent the same issue, and we have strengthened our security process. What you can do Even if there are no recent security updates concerning your theme or modules, we advise you to check if you are infected or not. In short: if you have the Warehouse theme or any of the modules listed above, DO UPGRADE THEM. Contact their respective author if you need to: we listed their website or product sheet above. The tricky part is that every site is different, and the security flaws are mostly the same, each hacker has his own set of files to upload. Hence, cleaning up an infected store can be automatically done: the most secure way is to rely on a recent backup of your files. Moreover, listing the flawed files would be giving too much information for potential hackers… We did hear of a hack which replaced the /controllers/admin/adminLoginController file with its own, so even though no new file has been uploaded, your site will be more secure if you use a backup (or if you upgrade to the latest version of PrestaShop). Check the last modification date of your files using an FTP client, such as Filezilla! On top of cleaning up your files (or replacing them with a recent backup), what you should do in case of a confirmed infection is: Change your back office password, and that of other admin accounts. Check the Employee page to make sure no new employee has been created. Change your SQL password. Change your FTP password. We hope your site is safe and sound. 2 Link to comment Share on other sites More sharing options...
marlowera Posted July 27, 2018 Share Posted July 27, 2018 Finally, a specific update Link to comment Share on other sites More sharing options...
Enrique Gómez Posted December 14, 2018 Share Posted December 14, 2018 (edited) I add the vtem skitter modeule to the list https://blog.quttera.com/post/prestashop-vtem-skitter-modules-file-upload-vulnerability/, I suppose is the same problem of the vtem slideshow. Edited December 14, 2018 by Enrique Gómez (see edit history) Link to comment Share on other sites More sharing options...
TiaNex Shopping Posted September 23, 2019 Share Posted September 23, 2019 there are problems with supershop theme, my store was hacked, 1 Link to comment Share on other sites More sharing options...
Enrique Gómez Posted September 26, 2019 Share Posted September 26, 2019 One new module possibly affected (jmslider) Link to comment Share on other sites More sharing options...
klimpond Posted March 3, 2020 Share Posted March 3, 2020 We've seen nowadays attack on following modules: - bamegamenu using ajax_phpcode.php script - smartprestashoptheadmin module using ajax_smartprestashoptheadmin.php - groupcategory module using GroupCategoryUploadImage.php script - verticalmegamenus module using VerticalMegaMenusUploadImage.php Link to comment Share on other sites More sharing options...
juliyvchirkov Posted January 3, 2021 Share Posted January 3, 2021 jmsslider module also has critical security issue at ajax_jmsslider.php one can upload any file type with any extension thru POST request /modules/jmsslider/ajax_jmsslider.php?action=addLayer&id_slide=attari&data_type=image uploaded file is moved to /modules/jmsslider/views/img/layers/ folder sample log follows - - 02/Jan/2021:15:04:50 +0200 `POST /modules/jmsslider/ajax_jmsslider.php?action=addLayer&id_slide=attari&data_type=image` 200 /home/zalupa/htdocs/modules/jmsslider/ajax_jmsslider.php 140.453 4096 42.72% - - 02/Jan/2021:15:04:51 +0200 `GET /modules/jmsslider/views/img/layers/small.php` 200 /home/zalupa/htdocs/modules/jm sslider/views/img/layers/small.php 0.806 2048 0.00% Link to comment Share on other sites More sharing options...
El Patron Posted January 6, 2021 Share Posted January 6, 2021 closing and unpinning as dated 2016. Please make a new post/topic on any security issues you think there might be. Link to comment Share on other sites More sharing options...
Recommended Posts