Security breach in Visual Composer module + SOLUTION

[Rolige]

Visual Composer: Page Builder for Prestashop is one of the most used modules for creating dynamic content in Prestashop stores. In fact, in addition to being able to be purchased individually, it is also included in countless themes for the platform. Beyond the proven usefulness and good opinions that this module has, it is not sold directly in Prestashop Addons. Why is such a famous module not on the official module platform for Prestashop? Well, we have found an important SECURITY BUG, and perhaps elements like this could be one of the causes.

First let's clarify, so that there is no confusion with its title, that it is the module whose folder is called "jscomposer". This module has its own library for managing images (uploading, renaming, deleting, creating folders, etc). This library is similar to the one used by Prestashop to perform the same function, with one fundamental difference: the jscomposer library DOES NOT HAVE ANY SECURITY VALIDATION. In other words, anyone from anywhere on the internet, without even being authenticated in the front or back office of the store, can access the content of the images and manipulate them.

Still don't believe it? How can you know if this security hole is affecting your store? It is easy to check. If when entering this path of your store you can see the image manager, then your store may be in trouble:

https://myshopurl.com/modules/jscomposer/views/dialog.php

And worst of all, the module doesn't even have to be active in the store. The fact that the file exists is enough.

Why all the fuss over a few image files? Well, beyond the fact that any hacker can delete your images uploaded to the module, there is a much worse problem. There are bots that are scanning the web for known vulnerabilities in websites. And in the case of Prestashop we have already known of cases where some “intelligent” hacker has a bot that uploads a PHP script to the store by removing the .php extension first. For the image manager this is like uploading a new folder, then rename the file and give it the .php extension correctly. And basically, if you manage to upload an external PHP file to a store you can do whatever you want with the store, from deleting all the files and BDs to hijacking them by encrypting them and then asking for a ransom to restore them.

But beyond the scare ... How do I solve this big problem?

You can find the answer step by step on our blog: https://www.rolige.com/en/blog/tips-prestashop/security-breach-in-visual-composer-module-solution

Keep safe fellows. Regards

[SmartDataSoft]

On 9/14/2020 at 8:47 PM, Rolige said:

Visual Composer: Page Builder for Prestashop is one of the most used modules for creating dynamic content in Prestashop stores. In fact, in addition to being able to be purchased individually, it is also included in countless themes for the platform. Beyond the proven usefulness and good opinions that this module has, it is not sold directly in Prestashop Addons. Why is such a famous module not on the official module platform for Prestashop? Well, we have found an important SECURITY BUG, and perhaps elements like this could be one of the causes.

First let's clarify, so that there is no confusion with its title, that it is the module whose folder is called "jscomposer". This module has its own library for managing images (uploading, renaming, deleting, creating folders, etc). This library is similar to the one used by Prestashop to perform the same function, with one fundamental difference: the jscomposer library DOES NOT HAVE ANY SECURITY VALIDATION. In other words, anyone from anywhere on the internet, without even being authenticated in the front or back office of the store, can access the content of the images and manipulate them.

Still don't believe it? How can you know if this security hole is affecting your store? It is easy to check. If when entering this path of your store you can see the image manager, then your store may be in trouble:

https://myshopurl.com/modules/jscomposer/views/dialog.php

And worst of all, the module doesn't even have to be active in the store. The fact that the file exists is enough.

Why all the fuss over a few image files? Well, beyond the fact that any hacker can delete your images uploaded to the module, there is a much worse problem. There are bots that are scanning the web for known vulnerabilities in websites. And in the case of Prestashop we have already known of cases where some “intelligent” hacker has a bot that uploads a PHP script to the store by removing the .php extension first. For the image manager this is like uploading a new folder, then rename the file and give it the .php extension correctly. And basically, if you manage to upload an external PHP file to a store you can do whatever you want with the store, from deleting all the files and BDs to hijacking them by encrypting them and then asking for a ransom to restore them.

But beyond the scare ... How do I solve this big problem?

You can find the answer step by step on our blog: https://www.rolige.com/en/blog/tips-prestashop/security-breach-in-visual-composer-module-solution

Keep safe fellows. Regards

Thank you for your post. This issue is fixed in our latest released. 4.4.18. so not user are not able to access the file without admin log in.  Thank you for your help