In light of a security issue we have been made aware of, today we are releasing several options to secure a store for our users and partners:
- New versions of PrestaShop 1.4.x and 1.5.x. Version 220.127.116.11 is safe.
- Patch files for the latest versions of each branch -- 18.104.22.168, 22.214.171.124, and 126.96.36.199.
- The Security Patch module, which applies the above patch files in a much more user-friendly way.
- Zip files of the changed files for the 1.4, 1.5, and 1.6 branches.
We strongly advise you to either upgrade your store to the latest version of your current branch which were just released (188.8.131.52 and 184.108.40.206), or to apply the fixes that we are providing (see the links below). Version 220.127.116.11 also fixes 17 other issues: see the changelog here. Version 18.104.22.168 also fixes 7 other issues: see the changelog here. Please read this whole article carefully. Thank you.
Which versions are affected?
The security issue that has been discovered affects all versions of PrestaShop, except version 22.214.171.124 and PrestaShop Cloud. Therefore, it affects branches 1.4.x, 1.5.x, and 1.6.x up to 126.96.36.199. In short, if you have not yet upgraded to PrestaShop 188.8.131.52, chances are that your store is vulnerable to this issue. Themes and modules are not affected, and should work as-is once you have installed the fix.
How can I fix my store / my clients’ stores?
For those who have not yet upgraded to PrestaShop 184.108.40.206, we are providing several ways to fix the issue:
- For non-technical people, we have created the Security Patch module, which will apply the fix for the latest versions of the 1.4, 1.5 and 1.6 branches. This means that it is guaranteed to work for PrestaShop 220.127.116.11, 18.104.22.168, and 22.214.171.124. The module works for all three branches: just install it and activate it, and it will apply the patch!
- For technical people, or those for whom the module cannot apply the patch, you can get a patch for the latest versions of each branch (1.4, 1.5, 1.6) right on GitHub (click here for the links). Just like the module, these patches only work with the latest version of each branch, namely 126.96.36.199, 188.8.131.52, and 184.108.40.206, and no other -- not without changes on your part, anyway. If your store is not up to date on the latest branch (1.6), we strongly suggest to update to the latest version of your branch before applying the patch If you cannot upgrade, it is up to you to adapt the patch file to your specific situation.
- Also, you can download the updated file archives for branches 1.4, 1.5 and 1.6. They contain only the files that have been changed since the latest version of each branch. Click here for the links. If you haven’t made changes to these files yourself, you can just replace your old files with the new ones.
Finally, the 1.5.x and 1.4.x branches have been updated. As of today, you can download PrestaShop 220.127.116.11 and 18.104.22.168 from the download page for previous versions. Since version 22.214.171.124 contains the fix for the 1.6 branch, we are not releasing a 126.96.36.199 version. Please upgrade! In effect, the module applies the patches for each branch, which were design to work on the latest versions: 188.8.131.52, 184.108.40.206, 220.127.116.11. Therefore, it might not work for older versions. If you are in this situation, we have written a quick guide on how to apply the patch manually. In any case, we do suggest that you always keep your store updated with the latest and most secure version of PrestaShop: at best, 18.104.22.168; at worst, the last version of 1.5 or 1.4 branch. For those of you who have heavily customized the Core files, please take all precautions before installing the module, before merging the patches, or before uploading the changed files! You might have to adapt the patch to your specific installation. Please note that the module will not work in all Windows server configurations, and some limited Linux configurations. In those cases, it is up to you to adapt the patch to your specific configuration. Please see the instructions on this text file.
I use an old version of PrestaShop, what can I do?
The module works for recent versions of the 1.4, 1.5 and 1.6.0 branches. Earlier versions of these branches should work too, although the oldest might have issues. The module will not work for PrestaShop 1.0, 1.1, 1.2 nor 1.3. If you have an older version of PrestaShop, our best and most frequent advice is to update you store. You should at least be at version 1.4 of PrestaShop, since older versions will not see any more updates -- the 1.3 branch, for instance, has not received any update since March 2011, more than four years ago. We understand some of you might be blocked in such an old version. For that purpose, we have recently published an article listing 4 easy ways anyone could secure their store. In summary, the 4 ways to secure your store are:
- Keeping your store up to date with the latest version, as well as all your modules.
- Protecting your back office folder with an .htaccess password.
- Using a non-regular name for your back office folder (ie., something more unique than /admin1234).
- Using more complex passwords, or even passphrases that are unique to your store.
Please go read the entire article right now! More easy-to-apply advice is available in our “Making your PrestaShop installation more secure” documentation page. If you really want to apply the fix to your store yourself, you may try by following our quick guide on how to apply the patch manually.
What is the issue about?
The issue that was found deals with the randomness of the password generation algorithm. This could possibly lead to a malicious hacker getting access to the store’s back office. The potential attack is non-trivial, but we’d rather be safe about this.
How was the issue discovered and resolved?
The issue was discovered by security consultant Vincent Herbulot (@us3r777), who contacted us directly on email@example.com under the “responsible disclosure” model. Thank you Vincent! The issue was fixed by our own security team, with help from Vincent. The module was created by our Core developers.
What is responsible disclosure?
Responsible (and private) disclosure is a standard practice when someone encounters a security problem: before making it public, the discoverer informs the Core team about it, so that a fix can be prepared, and thus minimize the potential damage. The PrestaShop team tries to be very proactive when preventing security problems. Even so, critical issues might surface without notice. This is why we have set up the firstname.lastname@example.org email address: anyone can privately contact us with all the details about issues that affect the security of PrestaShop merchants or customers. Our security team will answer you, and discuss of a timeframe for your publication of the details. Understanding a security issue means knowing how the attacker got in and hacked the site. If you have those details, then please do contact us privately about it (and please do not publish those details). If you do not know how the attacker got it, please ask for help on the support forums.
What is PrestaShop’s process for dealing with security issues?
Thanks to our recent adoption of a SemVer-like versioning scheme and the continuing improvement of the 1-Click Module, we feel confident that the forthcoming patch versions of PrestaShop will be very easy upgrades for all users. Patch versions are for backwards-compatible bug fixes and security issues, and security fixes are to be released as soon as they are fixed. Together with a stronger internal protocol for security releases, we are confident that, should any further security issue arise in PrestaShop, our team will be able to release fixes much faster, and in a way that makes upgrading much safer for all up-to-date stores. At PrestaShop, we remain attached to keeping your stores and customers safe, and we take security very seriously. Thank you for your understanding of the issue that affects us today -- and thank you for the swift update of all the stores you are responsible for!