Jump to content

[solved}Security: 1.6.1.6 hacked - vouchers


adamus007p

Recommended Posts

We have updated Prestahops to 1.6.1.6 and all modules.

 

Today we had hacker who get somehow vouchers which was 200GBP and use them to order digital products via paypal.

 

We choose products for 202GBP and used voucher for 200GBP, so he paid 2GBP only.

 

There is some gap in prestashop where hacked can use and see all your vouchers.

 

 

 

 

I have called to Paypal to report this orders and block/investigate this hacker account.

Paypal haven't done anything and after 2hours hacker made other unauthorized transaction.

 

 

 

Please disable all not necessary vouchers.

 

 

 

 

 

edit:


no installed extra problematic modules

 

 

 

edit2:

I was trying to open a bug report but I have problem to do it. Now works

 


 


It seems that you have tried to perform an operation which you are not permitted to perform.


If you think this message is wrong, please contact your JIRA administrators.


Edited by adamus007p (see edit history)
Link to comment
Share on other sites

but you've got these modules in your prestashop? 

updated list of modules to check for

 

'columnadverts',

'soopamobile',

'soopabanners',

'vtermslidesshow',

'simpleslideshow',

'productpageadverts',

'homepageadvertise',

'homepageadvertise2',

'jro_homepageadvertise',

'attributewizardpro',

'advancedslider',

'cartabandonmentpro',

'videostab',

'wg24themeadministration',

'fieldvmegamenu',

'tenbucks',

'sendtoafriend'

'smartblog'

 

Smartblog is probably the most downloaded/used of those modules across many themes, probably most of these have updates now

Link to comment
Share on other sites

A week ago I had sendtoafriend, but I have deleted it when I heard about security problem.

I deleted it for a prevention, we had no problems.

Today we meet with security issue and fraud orders.

 

Any other advises?

 

For this moment I have disabled all vouchers in Prestashop.

 

In /modules/ I can't see any forlder with sendtoafriend

but in BO/modyles I see sendtoafriend that I can install it.

 

Is it show the modules that it is available in addons, because there is no module in FTP?

Edited by adamus007p (see edit history)
Link to comment
Share on other sites

 

 

Is it show the modules that it is available in addons, because there is no module in FTP?

no worries - module is available remotely only (if you removed it from /modules/ directory).

what about other addons? do you still have some of them in your /modules/ directory? (from list that David Eschmeyer pasted) 

 

?

Link to comment
Share on other sites

Ok I see what is the problem.

 

after update to 1.6.1.6

 

when customer go to https://www.store/discount

when he is logged on FO he is able to see all vouchers

 

it should be hidden, so nice bug or feature in 1.6.1.6 :)

 

 

 

 

  $sql .= ' UNION (SELECT '.$sql_part1.' WHERE cr.`group_restriction` = 1 '.$sql_part2.')';
        if ($includeGeneric && (int)$id_customer != 0) {
            $sql .= ' UNION (SELECT '.$sql_part1.' WHERE cr.`id_customer` = 0 '.$sql_part2.')';
        }
 
 
 
deleted 
includeGeneric
 
and it seems to be ok
 
 
 
 
what it is for? includeGeneric??
 
 
 
 
soluction:
 
 
This was not a hacker, just a customer who found vouchers and used it.
 
You may close this topic.
Edited by adamus007p (see edit history)
Link to comment
Share on other sites

I agree, this would appear to be a design flaw.  Most likely it was designed to work this way, but Prestashop developer's routinely fail to realize how something like this could be maliciously used. 

 

Visiting the discount page as a logged in customer (aka the My Vouchers page in My Account) will show you any cart rules that are Active, Not Expired and Quantity > 0

 

Most likely the code should take into account the "Highlight" option as defined by the Cart Rule.  It enabled, then the voucher is shown to the customer during checkout.  If disabled, it is hidden, but still usable if they know the code.

Link to comment
Share on other sites

  • 1 month later...
  • 9 months later...

For my shop runnig 1.6.1.6 the most simple fix was to change the default of highlight_only setting in 

classes/CartRule.php line 263

 

change from 

public static function getCustomerCartRules($id_lang, $id_customer, $active = false, $includeGeneric = false, $inStock = false, Cart $cart = null, $free_shipping_only = false, $highlight_only = false)
 
change to
public static function getCustomerCartRules($id_lang, $id_customer, $active = false, $includeGeneric = false, $inStock = false, Cart $cart = null, $free_shipping_only = false, $highlight_only = true)
 
works as it should :) 
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...