[WARNING] Module sendtoafriend create a SPAM backdoor !

[modulix]

First, my modules are up to date, but somebody use my Prestashop server to send SPAM via sendtoafriend module.

It seems that he have only to submit data containing mail to send to this url:

 

"POST /modules/sendtoafriend/sendtoafriend_ajax.php?rand=1468569353599 HTTP/1.1"

 

and my server emit his mail...

 

For now, the only way to avoid this is to remove sendtoafriend directory.

 

@devs: Please, create a patch to avoid this !

 

[coeos.pro]

in the module there is "secure_key", but it is useless ...

[modulix]

For more detailed informations about this exploit, i take a capture of one of receiving request,

( tcpdump -A -i eth0 port 80 and src 203.160.131.88 )

 

22:03:23.420029 IP 203.160.131.88.53228 > *********.fr.http: Flags [P.], seq 0:401, ack 1, win 16698, length 401
[email protected]`.3.$!-P.A:....POST /modules/sendtoafriend/sendtoafriend_ajax.php?rand=1468569353599 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
Accept: */*
Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Content-Length: 1030
Host: *******.fr

22:03:23.420568 IP 203.160.131.88.53228 > *******.fr.http: Flags [P.], seq 401:1431, ack 1, win 16698, length 1030
[email protected].?....X..P....Px`...$!-P.A:.5..action=sendToMyFriend&secure_key=01665d8519622a4f810fca6231f78399&name=%E5%A8%81%E5%B0%BC%E6%96%AF%E4%BA%BA%E5%A8%B1%E4%B9%90%E5%9F%8Ewww.51868.cc%E5%AD%9825%E9%80%8150%E5%85%83%EF%BC%8C%E7%8E%A9%E5%AE%B6%E9%A6%96%E9%80%89%EF%BC%8C%E6%8B%A5%E6%9C%89%E5%90%88%E6%B3%95%E7%BD%91%E6%8A%95%E7%89%8C%E7%85%A7%EF%BC%8C%E5%A4%A7%E9%A2%9D%E7%8E%A9%E5%AE%B6%E9%A6%96%E9%80%89%EF%BC%81%E5%85%A8%E7%BD%91%E7%94%B5%E5%AD%90%EF%BC%8C%E7%99%BE%E5%AE%B6%E4%B9%90%E6%9C%80%E4%BD%B3%E6%8A%95%E6%B3%A8%E5%B9%B3%E5%8F%B0%EF%BC%81%0D%0A%E9%93%B6%E6%B2%B3%E5%A8%B1%E4%B9%90%E5%9C%BAwww.136.org%E5%AD%988%E5%85%83%E9%80%8138%E5%85%83%EF%BC%8CBBIN%E5%94%AF%E4%B8%80%E5%AE%98%E6%96%B9%E7%9B%B4%E8%90%A5%E7%BD%91%EF%BC%81%E7%94%B5%E5%AD%90%E6%B8%B8%E8%89%BA%E6%BF%80%E6%83%85%E5%8D%81%E6%83%A0%E9%82%80%E6%82%A8%E6%8C%91%E6%88%98%EF%BC%81%E5%BE%AE%E4%BF%A1%E7%BE%A4%E5%8F%91%E5%88%86%E4%BA%AB%E9%80%81198%E5%85%83%EF%BC%8C%E6%9C%88%E6%9C%88%E4%B8%89%E5%A4%A7%E7%8E%B0%E9%87%91%E5%9B%9E%E9%A6%88%EF%BC%81%EF%BC%81%0D%0A&[email protected]&id_product=23
22:03:24.225056 IP 203.160.131.88.53228 > *******.fr.http: Flags [.], ack 1, win 16698, options [nop,nop,sack 1 {7261:8713}], length 0
 

 

It's a very serious issue, i guess that a lot of sites are vulnerables...

(i have deleted this directory, so my website returns 404)

Edited October 5, 2016 by modulix (see edit history)

[modulix]

So, posted string is :

 

action=sendToMyFriend&secure_key=01665d8519622a4f810fca6231f78399&name=\xe5\xa8\x81\xe5\xb0\xbc\xe6\x96\xaf\xe4\xba\xba\xe5\xa8\xb1\xe4\xb9\x90\xe5\x9f\x8ewww.51868.cc\xe5\xad\x9825\xe9\x80\x8150\xe5\x85\x83\xef\xbc\x8c\xe7\x8e\xa9\xe5\xae\xb6\xe9\xa6\x96\xe9\x80\x89\xef\xbc\x8c\xe6\x8b\xa5\xe6\x9c\x89\xe5\x90\x88\xe6\xb3\x95\xe7\xbd\x91\xe6\x8a\x95\xe7\x89\x8c\xe7\x85\xa7\xef\xbc\x8c\xe5\xa4\xa7\xe9\xa2\x9d\xe7\x8e\xa9\xe5\xae\xb6\xe9\xa6\x96\xe9\x80\x89\xef\xbc\x81\xe5\x85\xa8\xe7\xbd\x91\xe7\x94\xb5\xe5\xad\x90\xef\xbc\x8c\xe7\x99\xbe\xe5\xae\xb6\xe4\xb9\x90\xe6\x9c\x80\xe4\xbd\xb3\xe6\x8a\x95\xe6\xb3\xa8\xe5\xb9\xb3\xe5\x8f\xb0\xef\xbc\x81\r\n\xe9\x93\xb6\xe6\xb2\xb3\xe5\xa8\xb1\xe4\xb9\x90\xe5\x9c\xbawww.136.org\xe5\xad\x988\xe5\x85\x83\xe9\x80\x8138\xe5\x85\x83\xef\xbc\x8cBBIN\xe5\x94\xaf\xe4\xb8\x80\xe5\xae\x98\xe6\x96\xb9\xe7\x9b\xb4\xe8\x90\xa5\xe7\xbd\x91\xef\xbc\x81\xe7\x94\xb5\xe5\xad\x90\xe6\xb8\xb8\xe8\x89\xba\xe6\xbf\x80\xe6\x83\x85\xe5\x8d\x81\xe6\x83\xa0\xe9\x82\x80\xe6\x82\xa8\xe6\x8c\x91\xe6\x88\x98\xef\xbc\x81\xe5\xbe\xae\xe4\xbf\xa1\xe7\xbe\xa4\xe5\x8f\x91\xe5\x88\x86\xe4\xba\xab\xe9\x80\x81198\xe5\x85\x83\xef\xbc\x8c\xe6\x9c\x88\xe6\x9c\x88\xe4\xb8\x89\xe5\xa4\xa7\xe7\x8e\xb0\xe9\x87\x91\xe5\x9b\x9e\xe9\xa6\x88\xef\xbc\x81\xef\xbc\x81\r\n&[email protected]&id_product=23

Edited October 5, 2016 by modulix (see edit history)

[Eolia]

Lol...

Add this in sendtoafriend_ajax.php:

$module = new SendToAFriend();

if ((Tools::getValue('action') == 'sendToMyFriend') 
	&& (Tools::getValue('secure_key') == $module->secure_key) 
	&& !empty($module->context->cookie->customer_firstname))
{

So, only registred customers can send email

 

You can also add a verification on name: 

if(!Validate::isName($name))
    die(0);

[modulix]

 

Lol...

 

Sorry, but this issue is not funny.

In my case this backdoor was used by more than ten different IP (from china), each was sending around 3 mails by minute... so this server was blacklisted by ISP and so on. A really bad week.

 

I believe that your proposal is not efficient :

 

Yes, it is probable that the spammer have already an account, but as there is no trace of that activity (except in apache/access.log), you can not know who is doing that.

Perhaps, he have only to discover a valid username (that seems also quite easy)

The secure_key is easy to capture using this feature in a browser while running tcpdump in other one.

 

No,i guess that better way is to NOT use ajax request to send mails.

Otherwise, you need to implement a really secure way to be really sure that this ajax script is not called directly from web.

 

 

[Eolia]

Lol because this bug is very old and Prestashop does not care^^

 

In 2010.. https://www.prestashop.com/forums/topic/72544-send-to-friend-module-is-used-to-send-spam/

[modulix]

Do you think the captcha will work against that ?

 

curl -X POST "/modules/sendtoafriend/sendtoafriend_ajax.php?rand=1468569353599" -d 'xxxx'

[modulix]

Ok, so for now, i hope not for ever, 'rm -rf modules/sendtoafriend' is the only secure solution.

Thanks for this old link Eolia.

[bellini13]

Do you think the captcha will work against that ?

 

curl -X POST "/modules/sendtoafriend/sendtoafriend_ajax.php?rand=1468569353599" -d 'xxxx'

yes, because on the server side you would add code to check that the submission was valid.

[babyewok]

Place a captcha in front of it. The module in this repo is basically the same, except it has a captcha for added security: https://github.com/firstred/mpsendtoafriend

I tried this module on PS 1.6.1.1 but when I install, I get a fatal error about

require_once(): Failed opening required '[.............]/modules/mpsendtoafriend/vendor/autoload.php'

 

Any suggestions?

[nycbicycleshop]

Is there any permanetly solution for this module? Chinese spammers sending emails using this module?

[Bill Dalton]

This is an old thread, as far as I know it has been addressed. https://www.prestashop.com/forums/topic/544578-major-security-issues-with-few-modules-and-themes/

[nycbicycleshop]

Thanks Bill, I update the module, let's see how it's goes.