Critical PrestaShop vulnerability CVE-2017-9841: identifying and fixing
31/10/2021
The vulnerability, registered under number CVE-2017-9841, is critical and allows arbitrary PHP code to be executed on a server via an HTTP POST request to the eval-stdin.php file, where a data in a request begins with the <?php substring. The eval-stdin.php file was shipped in earlier versions of PHPUnit and may be present on older sites (with old PrestaShop and/or old modules), so the vulnerability remains relevant for them. An example of the location of such a file: /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php.
Conditions for remote execution of commands on a computer with vulnerable PrestaShop or modules:
- The presence of the eval-stdin.php file and access to it.
- Suitable conditions for a successful attack, which depend on PHPUnit version (version of the eval-stdin.php file) and a server configuration.
Fixed versions of modules known to had this vulnerability:
- 1-Click upgrade: v4.10.1 (Developer: PrestaShop)
- Abandonment Cart Pro: v2.0.10 (Developer: PrestaShop)
- Faceted Search: v3.4.1 (Developer: PrestaShop)
- Merchant Expertise: v2.3.2 (Developer: PrestaShop)
- PrestaShop Checkout: v1.2.9 (Developer: PrestaShop)
How to fix the vulnerability:
- If your site has not yet been successfully attacked, then you need to remove all the eval-stdin.php files from your site subdirectories and ensure that this file is not loaded again when some module is updated.
- Removing the eval-stdin.php file is not enough if an attacker has already uploaded some scripts to a site or made corrections to the source files of your site. In this case, you need to check all the site files - compare them with the files of the PrestaShop distribution of the same version (check the same with all modules), and also check the files that exist on your site, but are not present in the distributions.
Known vulnerabilities, including this one, can be identified by the free «Tool for maintenance & debug» module. In today's update, it is using the «Security vulnerability checker» library code.
Where can you go to fix the problem? You can use the service «One working hour of PrestaShop programmer» or «Upgrade PrestaShop to the newest version».
To stay up to date with PrestaShop security issues, subscribe to our newsletter.
All News