Your shopping cart is empty

Critical security vulnerability detected (CVE-2018-19126)

22/01/2019

The vulnerability is registered under the number CVE-2018-19126. It is the critical vulnerability and allows to execute command line commands (i.e., in fact, an attacker can control a computer). Together with it two more vulnerabilities were found: CVE-2018-19125, CVE-2018-19124.

Conditions for remote command execution on a computer with a vulnerable PrestaShop:

  1. The PHP phar extension has «read only» mode turned off, i.e.: phar.readonly = Off
  2. The attacker knows the URL to the back office and the login / password for any account (for example, an account for demonstration access or even without permissions).

The corrected versions of PrestaShop (without vulnerability): 1.7.4.4 and newer, 1.6.1.23 and newer.
How to secure your PrestaShop if you are not planning to update or cannot yet?:

  1. For PHP phar extension, enable the «read only» mode, i.e.: phar.readonly = On
  2. Disable unused and untrusted accounts; change the passwords of the used accounts.

Known vulnerabilities will help you to identify the free security vulnerability checker.

Where can you go to fix the problem? You can use the service «Programming Hour» or «Upgrade PrestaShop to the newest version».

To be aware of PrestaShop new security issues, subscribe to the newsletter.

All News