Jump to content

[FREE MODULE] Fix Major Security Vulnerability on PrestaShop Websites


Recommended Posts

Major Security Vulnerability on PrestaShop Websites

A newly found exploit could allow remote attackers to take control of your shop

Read more about it here: https://build.prestashop.com/news/major-security-vulnerability-on-prestashop-websites/.

This module can scan your website for vulnerability and help you get a safe environment.

The module is also designed to remove malware from infected websites!

Step 1: Download the latest version of the module: https://github.com/MathiasReker/blmvuln/releases/latest

(Or direct: blmvuln.zip)

Step 2: Install the module on your PrestaShop website.

Step 3. Open the module and click on "Run the cleaning process"

That's it!

The module requires PrestaShop 1.6.1+ and PHP 7.0.

image.thumb.png.270ce780a9a635d70ca825747adaff64.png

Edited by MathiasReker (see edit history)
  • Like 2
  • Thanks 5
Link to comment
Share on other sites

26 minutes ago, travisdk said:

Dear Mathias,

Any chance you could do a 1.6.x compatible version? - or give me some hints to do this myself?
Many thanks anyway for your effort!!

Regards

Henrik

Hello Henrik

I have added the feature request to the backlog.

Best regards
Mathias

  • Thanks 1
Link to comment
Share on other sites

  • MathiasReker changed the title to [FREE MODULE] Fix Major Security Vulnerability on PrestaShop Websites
1 hour ago, MathiasReker said:

The module is now compatible with PrestaShop 1.6.1+ 🙂

Thanks a lot Mathias, 
Does this effectively close the security hole or is this still pending further investigation??
Regards Henrik

  • Like 1
Link to comment
Share on other sites

Any idea what's going on? I get this on module install. PS 1.6.1.3

I tried turning off cashe and dropping in the zip to the modules dir and extracting it from my hosting but still same issue.image.png.a4ec6e6acc59ddc8a485af8c2e18b8c9.png

I mod'd this in smarty.config.inc.php:

/* Fixes: CVE-2022-31101

if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') {
    include(_PS_CLASS_DIR_.'/SmartyCacheResourceMysql.php');
    $smarty->caching_type = 'mysql';
}
*/

 

Will that fix it?

Edited by bnadauld (see edit history)
Link to comment
Share on other sites

2 hours ago, bnadauld said:

Any idea what's going on? I get this on module install. PS 1.6.1.3

I tried turning off cashe and dropping in the zip to the modules dir and extracting it from my hosting but still same issue.image.png.a4ec6e6acc59ddc8a485af8c2e18b8c9.png

I mod'd this in smarty.config.inc.php:

/* Fixes: CVE-2022-31101

if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') {
    include(_PS_CLASS_DIR_.'/SmartyCacheResourceMysql.php');
    $smarty->caching_type = 'mysql';
}
*/

 

Will that fix it?

Hello. I guess you are running PHP 5.6. The minimum PHP version for this module is PHP 7.0

Link to comment
Share on other sites

1 hour ago, MathiasReker said:

Hello. I guess you are running PHP 5.6. The minimum PHP version for this module is PHP 7.0

I am running 5.6. Damn it.

 

If i remove:

if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') {
    include(_PS_CLASS_DIR_.'/SmartyCacheResourceMysql.php');
    $smarty->caching_type = 'mysql';
}

 

Will that stop the hack if i haven't already been hit?

Edited by bnadauld (see edit history)
Link to comment
Share on other sites

vor 23 Minuten schrieb bnadauld:

I am running 5.6. Damn it.

I used PrestaShop 1.6.1.4 and the shop worked smoothly with php 7.0 (without any modification). I don't think that there is a huge difference between 1.6.1.3 and 1.6.1.4 so give php 7.0 a try and you will also benefit from better performance.

Link to comment
Share on other sites

7 hours ago, NSN said:

I used PrestaShop 1.6.1.4 and the shop worked smoothly with php 7.0 (without any modification). I don't think that there is a huge difference between 1.6.1.3 and 1.6.1.4 so give php 7.0 a try and you will also benefit from better performance.

Thank you for the info

Link to comment
Share on other sites

8 hours ago, bnadauld said:

I am running 5.6. Damn it.

 

If i remove:

if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') {
    include(_PS_CLASS_DIR_.'/SmartyCacheResourceMysql.php');
    $smarty->caching_type = 'mysql';
}

 

Will that stop the hack if i haven't already been hit?

You can do this as a hotfix. It is not a patch. I recommend upgrading to PHP 7.0 anyway.

Link to comment
Share on other sites

On 7/25/2022 at 11:29 AM, MathiasReker said:

Dear Mathias,

I get below error when installing v. 2.0.0 (on Presta v 1.6.1.24)

Previous version worked bar some false positive on infected files (clean non-public system).
Regards

Henrik


 

 

 

 

 

error.png

Link to comment
Share on other sites

2 hours ago, travisdk said:

Dear Mathias,
You seem to be using a class (PhpEncryption) which isn't present in an Prestashop 1.6 installation AFAIK!?
Could it be fixed?
Regards

Henrik
 

You are right. I overlooked this 😕

What exact version of PrestaShop are you using?

Link to comment
Share on other sites

Thanks for the module, slightly different approach than the patch suggested by PrestaShop team. I've fixed permissions yesterday and a new warning came up today:

The following file/folder permissions is insecure. They will be fixed by running the cleaning process:

/home/xxx/public_html/var/cache/prod/smarty/compile/36
/home/xxx/public_html/var/cache/prod/smarty/compile/36/38
/home/xxx/public_html/var/cache/prod/smarty/compile/36/38/e5
/home/xxx/public_html/var/cache/prod/smarty/compile/f3
/home/xxx/public_html/var/cache/prod/smarty/compile/f3/87
/home/xxx/public_html/var/cache/prod/smarty/compile/f3/87/c0
/home/xxx/public_html/var/cache/prod/smarty/compile/6b
/home/xxx/public_html/var/cache/prod/smarty/compile/6b/07
etc.
etc....
Not sure if that if fixable and if not, perhaps you can skip the check on the /var folder?

 

Link to comment
Share on other sites

31 minutes ago, mr_absinthe said:

Thanks for the module, slightly different approach than the patch suggested by PrestaShop team. I've fixed permissions yesterday and a new warning came up today:

The following file/folder permissions is insecure. They will be fixed by running the cleaning process:

/home/xxx/public_html/var/cache/prod/smarty/compile/36
/home/xxx/public_html/var/cache/prod/smarty/compile/36/38
/home/xxx/public_html/var/cache/prod/smarty/compile/36/38/e5
/home/xxx/public_html/var/cache/prod/smarty/compile/f3
/home/xxx/public_html/var/cache/prod/smarty/compile/f3/87
/home/xxx/public_html/var/cache/prod/smarty/compile/f3/87/c0
/home/xxx/public_html/var/cache/prod/smarty/compile/6b
/home/xxx/public_html/var/cache/prod/smarty/compile/6b/07
etc.
etc....
Not sure if that if fixable and if not, perhaps you can skip the check on the /var folder?

 

Hello

This is already fixed in the latest version 🙂

  • Like 1
Link to comment
Share on other sites

17 minutes ago, travisdk said:

Hi Mathias, 
Is it fair to say your solution has gone from patching the SmartyCacheResourceMysql.php file to disabling the usage of the Smarty/MySQL caching feature altogether?
Regards

Henrik

Hello

Yes, patching the file is not a good solution as there are too many differences between the versions.

Also, caching on filesystem is faster than caching on mysql for the Smarty cache.

  • Like 1
Link to comment
Share on other sites

5 minutes ago, MathiasReker said:

Hello

Yes, patching the file is not a good solution as there are too many differences between the versions.

Also, caching on filesystem is faster than caching on mysql for the Smarty cache.

sorry im a bit confused. does the new version of this plugin 'just' disable the sql smarty cashe now? I dont use that feature and its always been turned off. can i still be exploited?

Thanks for your help!

Link to comment
Share on other sites

Just now, bnadauld said:

sorry im a bit confused. does the new version of this plugin 'just' disable the sql smarty cashe now? I dont use that feature and its always been turned off. can i still be exploited?

Thanks for your help!

There are more into this than just disable the feature. You must remove some lines of code from the smarty configuration file. The modules does this automatically.

The module scans the website for infected files and secure file permissions.

Link to comment
Share on other sites

5 hours ago, Rayna Butler said:

Thanks for your work Mathias, much appreciated. Do you know there will be any patch fix for the blockwishlist module (v1.3.2) in PS 1.6.1.24 or is disabling the only option?

cheers

Dirk

The SQLi vulnerability is only present in the v.2.0.0-2.1.0 of the module. 🙂

Link to comment
Share on other sites

Need response please:

 

Hi i've got the module but today i've received a mail from malware alert:

Unfortunately, following a recent backup we detected malware on your site www.pianetasvapo.com on Thursday, July 28, 2022.

If you're running a CMS like Wordpress, Joomla or Drupal, you should restore your data prior to the latest backup date when malware was identified so you can have your website running up again. After restoring your data, please update it to the latest version and update everything related to it like themes, plugins, modules, libraries and such. If there are any websites running on the same hosting account, please update them as well.

Also, we strongly recommend you change all your passwords for FTP/SFTP and shell access.

If you're running a custom system or you would like additional information, please take a look at our Support Center.

Below is the malware report we generated:


{HEX}php.malware.magento.582 : home/...../public_html/modules/blmvuln/bin/1.7.3.3/
{HEX}php.malware.magento.585 : home/...../public_html/modules/blmvuln/src/resources/config/Config.php

Link to comment
Share on other sites

3 hours ago, Pianetasvapo said:

Need response please:

 

Hi i've got the module but today i've received a mail from malware alert:

Unfortunately, following a recent backup we detected malware on your site www.pianetasvapo.com on Thursday, July 28, 2022.

If you're running a CMS like Wordpress, Joomla or Drupal, you should restore your data prior to the latest backup date when malware was identified so you can have your website running up again. After restoring your data, please update it to the latest version and update everything related to it like themes, plugins, modules, libraries and such. If there are any websites running on the same hosting account, please update them as well.

Also, we strongly recommend you change all your passwords for FTP/SFTP and shell access.

If you're running a custom system or you would like additional information, please take a look at our Support Center.

Below is the malware report we generated:


{HEX}php.malware.magento.582 : home/...../public_html/modules/blmvuln/bin/1.7.3.3/
{HEX}php.malware.magento.585 : home/...../public_html/modules/blmvuln/src/resources/config/Config.php

Hello @pianetasvapo

The reports from codeguard are false positives.

`{HEX}php.malware.magento.582 : home/....../public_html/modules/blmvuln/bin/[1.7.3.3/classes/module/Module.php](http://1.7.3.3/classes/module/Module.php)
`
This is a original file from PrestaShop 1.7.3.3. If I remove this file from the software package the module will no longer be compatible with PrestaShop 1.7.3.3.

`{HEX}php.malware.magento.585 : home/------/public_html/modules/blmvuln/src/resources/config/Config.php`
This file includes payloads to find the malware: https://github.com/MathiasReker/blmvuln/blob/develop/src/resources/config/Config.php#L170
If these are removed, the module will no longer be able to find it.

You can uninstall the module after running it once, but these warnings cannot be fixed.

  • Like 1
Link to comment
Share on other sites

I was sure of it but I wanted confirmation from you. What do you advise me to do? Can codeguard be reported as a false positive?

Or trivially can I ignore the report of codeguard? 

 

If I unistall the module Could my site be under attack again?

Thank you

Link to comment
Share on other sites

2 minutes ago, Pianetasvapo said:

I was sure of it but I wanted confirmation from you. What do you advise me to do? Can codeguard be reported as a false positive?

Or trivially can I ignore the report of codeguard? 

 

If I unistall the module Could my site be under attack again?

Thank you

Hello

Codeguard can report false-positives.

The module does not work in real-time. It works when you run the scanner. In general the module does only need to be run once. 🙂

You can uninstall the module and install it again if you would ever need it again

 

  • Like 1
Link to comment
Share on other sites

Can you confirm please what this module does? I see that it find and remove infected files, but does it make changes so that the site cannot be attacked again? i.e. of my site has not been affected, will running this module prevent an attack in the future and resolve the security issue?

Link to comment
Share on other sites

2 hours ago, babyewok said:

Can you confirm please what this module does? I see that it find and remove infected files, but does it make changes so that the site cannot be attacked again? i.e. of my site has not been affected, will running this module prevent an attack in the future and resolve the security issue?

Dont worry. This module works well and everything is fine...

The module find and replace infected files. Then he removes in Prestashop the problematic little part of code.

 

 

Edited by jeremiezip (see edit history)
  • Like 1
Link to comment
Share on other sites

Hi,

Thanks for the module.

I see the message config/smarty.confic.inc.php file needs correction, I feel it is part of the website code. I run the cleaning process and it works fine. I was worried the cleaning process would not create a problem because if any file gets deleted then it might create an error like 500 (internal server) on the website.

I think once in a month or weeks, I need to run the cleaning process again or the module will block future attacks on the website, please advise.

Attached is a screenshot for reference.

 

 

557.PNG

Link to comment
Share on other sites

11 hours ago, babyewok said:

Can you confirm please what this module does? I see that it find and remove infected files, but does it make changes so that the site cannot be attacked again? i.e. of my site has not been affected, will running this module prevent an attack in the future and resolve the security issue?

1) The files fixes the vulnerability, so you cannot get attacked from this attack.

2) If any infected files are found it will be solved.

3) If any permissions is insecure it will be solved.

Link to comment
Share on other sites

59 minutes ago, Zohaib-fk said:

Hi,

Thanks for the module.

I see the message config/smarty.confic.inc.php file needs correction, I feel it is part of the website code. I run the cleaning process and it works fine. I was worried the cleaning process would not create a problem because if any file gets deleted then it might create an error like 500 (internal server) on the website.

I think once in a month or weeks, I need to run the cleaning process again or the module will block future attacks on the website, please advise.

Attached is a screenshot for reference.

 

 

557.PNG

You just have to run the module once and then you can uninstall it 🙂

Link to comment
Share on other sites

Thanks for answers

I think files and folder permissions on the hosting web account are set by module. I will keep it and run it once a month so that any file not part of PrestaShop or related found will be detected and removed.

I know one Wordpress plugin that sends an email to the owner or webmaster if any file, is not part of the website or suspicious found or any file or folder has wrong permissions like 777. This email notification makes the process automatic and helpful. If we could have a similar module then it would be good.

Link to comment
Share on other sites

2 hours ago, Zohaib-fk said:

Thanks for answers

I think files and folder permissions on the hosting web account are set by module. I will keep it and run it once a month so that any file not part of PrestaShop or related found will be detected and removed.

I know one Wordpress plugin that sends an email to the owner or webmaster if any file, is not part of the website or suspicious found or any file or folder has wrong permissions like 777. This email notification makes the process automatic and helpful. If we could have a similar module then it would be good.

Hello

Cool feature, I will note this.

But it is out of scope for this module. 🙂

 

Link to comment
Share on other sites

hace 24 minutos, larentia dijo:

Hello Mathias,

I ran your module yesterday, it managed to correct some files but it doesn't do the job for these ones... I ran the module 3 times but it is always the same message. Could you please help me ?

thanks

Larentia

image.png.cf88c544fa43f9433a4bfbe4b82dd0a7.png

 

image.png

Try this module to correct file and folder permissions:

https://github.com/MathiasReker/filepermissions/releases/tag/1.0.2

Otherwise you would have to correct the permissions manually.
Directories with 755
Files with 644

Grettings.

Link to comment
Share on other sites

35 minutes ago, larentia said:

Hello Mathias,

I ran your module yesterday, it managed to correct some files but it doesn't do the job for these ones... I ran the module 3 times but it is always the same message. Could you please help me ?

thanks

Larentia

image.png.cf88c544fa43f9433a4bfbe4b82dd0a7.png

 

image.png

Somehow the modules does not have permission to change the files.

You can ignore this problem as this is just tpl files.

You are all good 🙂

Link to comment
Share on other sites

1 hour ago, MathiasReker said:

Somehow the modules does not have permission to change the files.

You can ignore this problem as this is just tpl files.

You are all good 🙂

Thank you very much for your answer... in addition I checked in FTP.... I don't find these files ...strange...

image.png.d331418ac80b0ec9bdbc60b3cc99fc44.png

Link to comment
Share on other sites

5 hours ago, NSN said:

@MathiasReker After deinstallation and deleting the module, the link on the menu does remain. Not a big issue, but (imho) when the module gets deinstalled the link should be removed too.

Hello @NSN

This is a known issue. There is a workaround. Please read this: https://github.com/MathiasReker/blmvuln/issues/4

This is only a problem in PrestaShop 1.6. In PrestaShop 1.7 it works. I don't rioritize debugging this as there is a workaround, but I have left an open issue for anyone else to solve this. 🙂

  • Thanks 1
Link to comment
Share on other sites

  • 1 month later...
  • 3 weeks later...

I am trying to install the module ( 1.6.1.18 PHP 7.1 ) , but I am getting this error: 

 

[PrestaShop] Fatal error in module file :/home/******/public_html/******/shop/modules/blmvuln/blmvuln.php:
require_once(): Failed opening required '/home/****/public_html/****/shop/modules/blmvuln/vendor/autoload.php' (include_path='/home/****/public_html/********/shop/tools/htmlpurifier/standalone:.:/opt/cpanel/ea-php71/root/usr/share/pear')

Link to comment
Share on other sites

On 10/7/2022 at 4:15 PM, juanmlg said:

I am trying to install the module ( 1.6.1.18 PHP 7.1 ) , but I am getting this error: 

 

[PrestaShop] Fatal error in module file :/home/******/public_html/******/shop/modules/blmvuln/blmvuln.php:
require_once(): Failed opening required '/home/****/public_html/****/shop/modules/blmvuln/vendor/autoload.php' (include_path='/home/****/public_html/********/shop/tools/htmlpurifier/standalone:.:/opt/cpanel/ea-php71/root/usr/share/pear')

Can you try to manually upload the module by FTP/SFTP overriding the old files? I guess a file is missing or corrupted.

Link to comment
Share on other sites

  • 3 months later...
vor 1 Stunde schrieb Viitali:

Hi Mathias.

A few files have been fixed for me. Big thanks.
Frontend also looks good.
But I can't get into the backend anymore. 
HTTP ERROR 500

Any ideas?

PS 1.6.1.15

Bildschirm­foto 2023-02-07 um 14.16.41.png

Ok, I think I have it.

AdminLoginController.php

public function viewAccess($disable = false) 
was replaced by 
public function viewAccess()

but how can I get else acess? IP control?

 

Link to comment
Share on other sites

Hey @MathiasReker, thanks for the module. I've installed it got two issues:

1. It shows me the volnurability of the files which I cannot find on FTP. For example - themes/default/img/process-icon-save-and-stay.png while I don't have a degault theme in the themes folder. 

2. When I hit the 'run the cleaning process' button - nothing happens. 

 

Thanks!

Link to comment
Share on other sites

vor 20 Stunden schrieb MathiasReker:

I don't understand the question

ok, sorry. I will try again. 

After clearing process, I can not reach the Admin Login page. Only get the message "HTTP ERROR 500".

Something else. Today the hack was back. The whole "classes" folder was overwritten. I found changes in ModuleFrontController.php file. But I have not yet compared all files. Have replaced the whole folder from the backup. Is the file not monitored by you?

Link to comment
Share on other sites

when i upload it i get this

mod_fcgid: stderr: PHP Fatal error:  require_once(): Failed opening required '/var/www/vhosts/coveri.com.gr/httpdocs/modules/blmvuln/vendor/autoload.php' (include_path='/var/www/vhosts/coveri.com.gr/httpdocs/vendor/pear/pear_exception:/var/www/vhosts/coveri.com.gr/httpdocs/vendor/pear/console_getopt:/var/www/vhosts/coveri.com.gr/httpdocs/vendor/pear/pear-core-minimal/src:/var/www/vhosts/coveri.com.gr/httpdocs/vendor/pear/archive_tar:.:/opt/plesk/php/7.2/share/pear') in /var/www/vhosts/coveri.com.gr/httpdocs/modules/blmvuln/blmvuln.php on line 50, referer: https://coveri.com.gr/******

Link to comment
Share on other sites

On 2/13/2023 at 1:05 PM, FOCUS ON GROUP said:

when i upload it i get this

mod_fcgid: stderr: PHP Fatal error:  require_once(): Failed opening required '/var/www/vhosts/coveri.com.gr/httpdocs/modules/blmvuln/vendor/autoload.php' (include_path='/var/www/vhosts/coveri.com.gr/httpdocs/vendor/pear/pear_exception:/var/www/vhosts/coveri.com.gr/httpdocs/vendor/pear/console_getopt:/var/www/vhosts/coveri.com.gr/httpdocs/vendor/pear/pear-core-minimal/src:/var/www/vhosts/coveri.com.gr/httpdocs/vendor/pear/archive_tar:.:/opt/plesk/php/7.2/share/pear') in /var/www/vhosts/coveri.com.gr/httpdocs/modules/blmvuln/blmvuln.php on line 50, referer: https://coveri.com.gr/******

I cannot reproduce the error.

Link to comment
Share on other sites

  • 3 weeks later...

Looks awesome, impossible to have it run with PS 1.6.24 and php 5.6? I know, I know, I should be using 1.7 but we have so many custom modules that it would take tons of money to have the developers upgrade them too. Same question also to file permission module. Thanks in advance!

Link to comment
Share on other sites

My hosting company wouldn't even allow me to run PHP 5.6 so you should maybe think about changing your host. I wonder how much would it cost to recover and rebuild your shop after it's been hacked...🤔
PHP 5.6 support ended in December 2018, no security patches for years, I wouldn't sleep if I had my store running on such historic PHP version.
I'm sure that you'll not be able to run this module but I might be wrong (sure I'm not 😁).

Link to comment
Share on other sites

We run 18 stores on it and so far so good, we just keep healthy copies of each site in case they get hacked we can be restored in 10 seconds, not the best practice and could be time consuming but it works until we can sit down to upgrade them all. We will be upgrading sometime this year to a dedicated server so there we may upgrade.

Funny enough we just have random issues with sites being hosted through its domain www.store.com, the ones that get forwarded to directories inside a domain store.com/shopname, get ignored by hacking bots, no clue why.

Link to comment
Share on other sites

  • 2 weeks later...