adamus007p Posted August 3, 2016 Share Posted August 3, 2016 (edited) We have updated Prestahops to 1.6.1.6 and all modules. Today we had hacker who get somehow vouchers which was 200GBP and use them to order digital products via paypal. We choose products for 202GBP and used voucher for 200GBP, so he paid 2GBP only. There is some gap in prestashop where hacked can use and see all your vouchers. I have called to Paypal to report this orders and block/investigate this hacker account. Paypal haven't done anything and after 2hours hacker made other unauthorized transaction. Please disable all not necessary vouchers. edit: https://www.prestashop.com/forums/topic/544579-major-security-issues-with-few-modules-and-themes/ no installed extra problematic modules edit2: I was trying to open a bug report but I have problem to do it. Now works http://forge.prestashop.com/browse/PSCSX-8270 It seems that you have tried to perform an operation which you are not permitted to perform. If you think this message is wrong, please contact your JIRA administrators. Edited August 3, 2016 by adamus007p (see edit history) Link to comment Share on other sites More sharing options...
vekia Posted August 3, 2016 Share Posted August 3, 2016 edit: https://www.prestash...les-and-themes/ no installed extra problematic modules but you've got these modules in your prestashop? Link to comment Share on other sites More sharing options...
David Eschmeyer Posted August 3, 2016 Share Posted August 3, 2016 but you've got these modules in your prestashop? updated list of modules to check for 'columnadverts', 'soopamobile', 'soopabanners', 'vtermslidesshow', 'simpleslideshow', 'productpageadverts', 'homepageadvertise', 'homepageadvertise2', 'jro_homepageadvertise', 'attributewizardpro', 'advancedslider', 'cartabandonmentpro', 'videostab', 'wg24themeadministration', 'fieldvmegamenu', 'tenbucks', 'sendtoafriend' 'smartblog' Smartblog is probably the most downloaded/used of those modules across many themes, probably most of these have updates now Link to comment Share on other sites More sharing options...
adamus007p Posted August 3, 2016 Author Share Posted August 3, 2016 (edited) A week ago I had sendtoafriend, but I have deleted it when I heard about security problem. I deleted it for a prevention, we had no problems. Today we meet with security issue and fraud orders. Any other advises? For this moment I have disabled all vouchers in Prestashop. In /modules/ I can't see any forlder with sendtoafriend but in BO/modyles I see sendtoafriend that I can install it. Is it show the modules that it is available in addons, because there is no module in FTP? Edited August 3, 2016 by adamus007p (see edit history) Link to comment Share on other sites More sharing options...
vekia Posted August 3, 2016 Share Posted August 3, 2016 Is it show the modules that it is available in addons, because there is no module in FTP? no worries - module is available remotely only (if you removed it from /modules/ directory). what about other addons? do you still have some of them in your /modules/ directory? (from list that David Eschmeyer pasted) ? Link to comment Share on other sites More sharing options...
adamus007p Posted August 4, 2016 Author Share Posted August 4, 2016 No other modules. Link to comment Share on other sites More sharing options...
vekia Posted August 4, 2016 Share Posted August 4, 2016 do you use some other CMS on the same hosting account where you've got your shop? Link to comment Share on other sites More sharing options...
adamus007p Posted August 4, 2016 Author Share Posted August 4, 2016 (edited) Ok I see what is the problem. after update to 1.6.1.6 when customer go to https://www.store/discount when he is logged on FO he is able to see all vouchers it should be hidden, so nice bug or feature in 1.6.1.6 $sql .= ' UNION (SELECT '.$sql_part1.' WHERE cr.`group_restriction` = 1 '.$sql_part2.')'; if ($includeGeneric && (int)$id_customer != 0) { $sql .= ' UNION (SELECT '.$sql_part1.' WHERE cr.`id_customer` = 0 '.$sql_part2.')'; } deleted includeGeneric and it seems to be ok what it is for? includeGeneric?? soluction: https://github.com/PrestaShop/PrestaShop/blob/develop/controllers/front/DiscountController.php This was not a hacker, just a customer who found vouchers and used it. You may close this topic. Edited August 4, 2016 by adamus007p (see edit history) Link to comment Share on other sites More sharing options...
bellini13 Posted August 7, 2016 Share Posted August 7, 2016 I agree, this would appear to be a design flaw. Most likely it was designed to work this way, but Prestashop developer's routinely fail to realize how something like this could be maliciously used. Visiting the discount page as a logged in customer (aka the My Vouchers page in My Account) will show you any cart rules that are Active, Not Expired and Quantity > 0 Most likely the code should take into account the "Highlight" option as defined by the Cart Rule. It enabled, then the voucher is shown to the customer during checkout. If disabled, it is hidden, but still usable if they know the code. Link to comment Share on other sites More sharing options...
Krystian Podemski Posted September 26, 2016 Share Posted September 26, 2016 Important, if someone is still looking for an answer, this is a proper fix to solve this issue: https://github.com/PrestaShop/PrestaShop/pull/5978/files 2 Link to comment Share on other sites More sharing options...
Pianetafarma.it Posted October 2, 2016 Share Posted October 2, 2016 Really tnx, i solved , thanks to all! Link to comment Share on other sites More sharing options...
mkr.krajewski@gmail. Posted July 15, 2017 Share Posted July 15, 2017 For my shop runnig 1.6.1.6 the most simple fix was to change the default of highlight_only setting in classes/CartRule.php line 263 change from public static function getCustomerCartRules($id_lang, $id_customer, $active = false, $includeGeneric = false, $inStock = false, Cart $cart = null, $free_shipping_only = false, $highlight_only = false) change to public static function getCustomerCartRules($id_lang, $id_customer, $active = false, $includeGeneric = false, $inStock = false, Cart $cart = null, $free_shipping_only = false, $highlight_only = true) works as it should Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now