We invite developers to publish modules and templates on this site!
Your shopping cart is empty

Categories

Payment
Shipping and Pickup
Product page
Frontend features
Express order checkout
Third-party data integration
Import and Export data
Administrative features
Promotions and Marketing
SEO
Customization
Tools (scripts)
Services
Programming
Free modules
Free themes (templates)

Information

About us
Terms and conditions of use
Payment and delivery
Documentation for PrestaShop
For developers

News

Show all news

Newsletter

Please, Log-in to subscribe to newsletter.

Create your online shop on PrestaShop

Critical PrestaShop vulnerability CVE-2017-9841: identifying and fixing

31/10/2021

The vulnerability, registered under number CVE-2017-9841, is critical and allows arbitrary PHP code to be executed on a server via an HTTP POST request to the eval-stdin.php file, where a data in a request begins with the <?php substring. The eval-stdin.php file was shipped in earlier versions of PHPUnit and may be present on older sites (with old PrestaShop and/or old modules), so the vulnerability remains relevant for them. An example of the location of such a file: /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php.

Conditions for remote execution of commands on a computer with vulnerable PrestaShop or modules:

  1. The presence of the eval-stdin.php file and access to it.
  2. Suitable conditions for a successful attack, which depend on PHPUnit version (version of the eval-stdin.php file) and a server configuration.

Fixed versions of modules known to had this vulnerability:

  1. 1-Click upgrade: v4.10.1 (Developer: PrestaShop)
  2. Abandonment Cart Pro: v2.0.10 (Developer: PrestaShop)
  3. Faceted Search: v3.4.1 (Developer: PrestaShop)
  4. Merchant Expertise: v2.3.2 (Developer: PrestaShop)
  5. PrestaShop Checkout: v1.2.9 (Developer: PrestaShop)

How to fix the vulnerability:

  1. If your site has not yet been successfully attacked, then you need to remove all the eval-stdin.php files from your site subdirectories and ensure that this file is not loaded again when some module is updated.
  2. Removing the eval-stdin.php file is not enough if an attacker has already uploaded some scripts to a site or made corrections to the source files of your site. In this case, you need to check all the site files - compare them with the files of the PrestaShop distribution of the same version (check the same with all modules), and also check the files that exist on your site, but are not present in the distributions.

Known vulnerabilities, including this one, can be identified by the free «Tool for maintenance & debug» module. In today's update, it is using the «Security vulnerability checker» library code.

Where can you go to fix the problem? You can use the service «One working hour of PrestaShop programmer» or «Upgrade PrestaShop to the newest version».

To stay up to date with PrestaShop security issues, subscribe to our newsletter.

All News

 
 
© 2010–2024 ModuleZ LLC
Price drop New products Best sellers