Prestashop: Critical security flaw in modules

By Julien GAUTHIER
 Published : 7 January 2020

Attackers use a vulnerability in a popular dependency used by modules to take control of PrestaShop sites. For more details, please read the full article.

State of play: Prestashop PhpUnit security flaw

The Prestashop team has informed us that attackers are currently exploiting a vulnerability in PHPUnit to run arbitrary code on servers running Prestashop websites. The problem is solved in the latest version of PHPUnit 7.5.19 and 8.5.1. On the other hand, all previous versions are vulnerable. This also means that some unupdated modules can compromise all of your business and data. (data theft).

How do you know if you're affected by the Prestashop PHPUnit vulnerability?

Connect to your shop via FTP or shell access, and look at the "vendor" directory in the main prestashop folder and inside each of your modules:

  • <prestashop_directory>/ vendor</prestashop_directory>
  • <prestashop_directory>/ modules / <module_name>/ vendor</module_name></prestashop_directory>

If there is a directory called "phpunit" within the above directories, your shop may be vulnerable.

command under linux: "find ./"your web folder"/ -name "phpunit"

you will have all the directories involved and you will be able to process them via the order:

Find. -type d -name "phpunit" -exec rm -rf

This command requires the appropriate user rights.

You can also manually delete "phpunit" folders via FTP.

Be aware that even if you do this cleaning, your shop may already have been compromised.

According to our analysis, most attackers place new files in the file system or modify existing files, such as AdminLoginController.php.

Here is a non-exhaustive list of known malicious files that may indicate a compromised store:

file: XsamXadoo_Bot.php

file: XsamXadoo_deface.php

file: 0x666.php

file: f.php

You can check if Core PrestaShop files have been changed by looking at the "List of Modified Files" section at the bottom of your Back Office's "Advanced Settings Information" page. However, this verification may not be sufficient because your site may have been compromised otherwise.

If your shop has been compromised or you think it has been compromised:

  • Carefully check that the attacker has left no files on your server, for example hidden in the middle of your shop files and/or contact an expert to do so for you.
  • Consider asking all users in your (s) store to change their password, which includes back office users as well as customer accounts. Make sure there are no compromised files in your store before.

If you think your site has been hacked, contact us!

The list of impacted modules (not exhaustive/ Live update)

Some modules are impacted:

  • 1-Click Upgrade (autoupgrade): versions 4.0 beta and later
  • Cart Abandonment Pro (pscartabandonmentpro): versions 2.0.1-2.0.2
  • Faceted Search (ps_facetedsearch): versions 2.2.1-3.0.0
  • Merchant Expertise (gamification): versions 2.1.0 and later
  • PrestaShop Checkout (ps_checkout): versions 1.0.8-1.0.9

We have released updated versions for these modules that completely remove the associated library from their own dependencies:

  • 1-Click upgrade: v4.10.1
  • Cart Abandonment Pro: v2.0.10
  • Faceted Search: v3.4.1
  • Merchant Expertise: v2.3.2
  • PrestaShop Checkout: v1.2.9

Be aware that if you have installed an impacted version of these modules in the past, PHPUnit files may still be present on your server. Only these newly released versions ensure that PHPUnit is no longer present in their own directory of suppliers.

Modules and themes from other providers may also be vulnerable. Expect updates to follow soon.

If you think your site has been hacked, contact us!

Did you find this content interesting? Share it :-) Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *

It might interest you:

CONTACT US
FOR A CASE STUDY
OR FOR A QUOTE

+332 5241 0356
HEADQUARTERS & PRODUCTION
44500 La Baule-Escoublac, FRANCE
twitter-squarefacebook-squarelinkedin-squarephone-squareinstagramslackenvelope-square linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram