Your shopping cart is empty

Critical PrestaShop vulnerability

23/07/2022

The vulnerability (or set of vulnerabilities) allows arbitrary code to be executed on a server where a website is running. Presumably affected versions of PrestaShop: from 1.6.0.10 to 1.7.8.1 inclusive.

One of the vulnerable modules: blockwishlist (in the back-office it can be displayed as "Wishlist" or "My wishlist"). Vulnerable versions: 2.0.0, 2.1.0.

Apparently, there are a number of unexplored vulnerabilities. The PrestaShop team cannot provide more information yet, but is preparing a release of PrestaShop with fixes. That is, while there is no complete information about how attackers hack sites, so at the moment you can only rely on your own strength.

According to the PrestaShop team, one of the attackers' goals is to replace a form of the checkout page in order to steal a bank card details of your customers (such cases have been found). But with such a vulnerability, an attacker can do anything with any PrestaShop files and a site database, and maybe even more, if the privileges of a user of your operating system allows under which the web server is running.

How do you know if your site has already been attacked?

  1. You notice unusual behavior on your site (changes in checkout pages, etc.).
  2. PrestaShop files have been changed.

To find out about the modified PrestaShop files, in the back-office, go to "Tools (or Advanced parameters)  / Configuration Information", scroll to the very bottom of the page and examine the "List of changed files" section. However, your programmers may have made changes to the PrestaShop files themselves, so in this case you yourself should know which files were changed by your task. If you or your programmers have not made changes to PrestaShop files, then it is likely that one of the vulnerabilities has already been exploited on your site. Please note that malicious code can change the information in this section of the back-office, so it should not be completely trusted. To be sure, you can use "Store code change scanner" module to check for changed and new files, and visually see specific changes in the code, but such a module must be installed in advance. With complete certainty, you can determine that your site has been hacked if you find in the code of the modified PrestaShop files encrypted text using BASE64 algorithm, as well as the presence of such a PHP function as eval. Please also note that this applies to the files of the PrestaShop system itself, because. some modules from third-party developers may contain calls to the PHP functions: base64_decode and eval in the code (but only if the module developer uses algorithms to protect a module code from unlicensed copying). You can contact the developers of such modules if you suspect something is wrong.

Some users reported that they found unauthorized changes to files:

  • /classes/controller/Controller.php
  • /classes/Db/Db.php
  • /classes/module/Module.php
  • /controllers/admin/AdminLoginController.php
  • /controllers/front/IndexController.php

As well as the appearance of new files (your file names may be different):

  • /app/Mage.php
  • /blm.php
  • /js/IzfhY.js

If you find these new suspicious files, then save them and the location of these files on your server, and then transfer the information to one of the programmers who can help you to study. Then, remove these files from your server.

Recommendations from the PrestaShop team:

  1. Update PrestaShop and all modules to the latest version.
  2. Open the "config/smarty.config.inc.php" file and remove the lines:
if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') {
    include _PS_CLASS_DIR_.'Smarty/SmartyCacheResourceMysql.php';
    $smarty->caching_type = 'mysql';
}

If you find out that your site has been attacked and you need help, then contact a programmer on our marketplace, who is also involved in fixing vulnerabilities.

Optional: vulnerability information from the PrestaShop team.

Peace for everyone.

All News