Critical security vulnerability detected (CVE-2018-19126)

22/01/2019

The vulnerability is registered under the number CVE-2018-19126. It is the critical vulnerability and allows to execute command line commands (i.e., in fact, an attacker can control a computer). Together with it two more vulnerabilities were found: CVE-2018-19125, CVE-2018-19124.

Conditions for remote command execution on a computer with a vulnerable PrestaShop:

1. The PHP phar extension has «read only» mode turned off, i.e.: phar.readonly = Off
2. The attacker knows the URL to the back office and the login / password for any account (for example, an account for demonstration access or even without permissions).

The corrected versions of PrestaShop (without vulnerability): 1.7.4.4 and newer, 1.6.1.23 and newer.
How to secure your PrestaShop if you are not planning to update or cannot yet?:

1. For PHP phar extension, enable the «read only» mode, i.e.: phar.readonly = On
2. Disable unused and untrusted accounts; change the passwords of the used accounts.

Known vulnerabilities, including this one, can be identified by the free «Tool for maintenance & debug» module or free «Security vulnerability checker» script.

Where can you go to fix the problem? You can use the service «One working hour of PrestaShop programmer» or «Upgrade PrestaShop to the newest version».

To stay up to date with PrestaShop security issues, subscribe to our newsletter.

All News