Jump to content

Friends-Of-Presta Security Advisories for PrestaShop


okom3pom

Recommended Posts

Hello to all, 

I introduce myself as a member of the Friend of Presta association and I think many people on this forum already know me.
Since a few months the FoP association has created a security cell that analyses the PrestaShop ecosystem.
We have identified hundreds of modules with security holes.

You can already find the list of modules for which we have already created CVEs by respecting a timeline for the authors of these modules.

You can subscribe to the rss feed here this list is updated every Tuesday and Thursday.

I will try to add on this post all the new vulnerabilities we publish.

  • Like 7
Link to comment
Share on other sites

  • razaro pinned this topic

Hi okom3pom, 

What about the free modules here on PrestaShop are these also being vetted?  

I've suggested many times to PrestaShop the free modules/themes should be removed from the official PrestaShop forum.  Just thought maybe I mentioned to PS providing free modules/theme without any vetting could create legal issue for them.

We have on our own written our own security solutions to protect our own private shops but also our client shops and appreciate others improving the PS ecoc.

Have a great week

 

 

 

Link to comment
Share on other sites

Free modules are also tested, we have detected more than 500 modules with flaws.

We only publish two modules per week, we will increase the number in time.

At the moment we focus on actively exploited modules that drop webskimers.

Link to comment
Share on other sites

23 hours ago, okom3pom said:

Free modules are also tested, we have detected more than 500 modules with flaws.

We only publish two modules per week, we will increase the number in time.

At the moment we focus on actively exploited modules that drop webskimers.

have any of the 500  been pulled down from forum?  my last stint as moderator I took down all but three pages of modules in english...there is no way to manage them.....Prestashop should remove from forum...and stop shooting themselves in the foot...and hurting beginners trying ps for  first time..

 

does prestashop have access or even use the results of your work....

 

 

 

Link to comment
Share on other sites

Hi

why ban all free modules?

You have, in the past, deliberately deleted entire pages of this forum concerning free modules, or not, while some modules are maintained and distributed to the community with a clean code and a complete monitoring.

The choice taken by PrestaShop Addons to remove the possibility to distribute free modules on their platform does not allow to have a review of each module before distribution, but considering the number of paid modules identified as having major flaws, we can rightly ask ourselves if it changes anything.

It is also up to the community to regulate itself and you can, if you identify flaws on free modules, inform the developer, directly or through the topic concerning his module, so that he makes the corrections, while indicating that the current links to the module file be removed, if these corrections are not shared, you can report the topic so that it is deleted and thus reassure the community members.

The outright ban, as you advocate and as you have implemented, will not help the development of PrestaShop or its community.

  • Like 4
Link to comment
Share on other sites

1 hour ago, Mediacom87 said:

Hi

why ban all free modules?

You have, in the past, deliberately deleted entire pages of this forum concerning free modules, or not, while some modules are maintained and distributed to the community with a clean code and a complete monitoring.

The choice taken by PrestaShop Addons to remove the possibility to distribute free modules on their platform does not allow to have a review of each module before distribution, but considering the number of paid modules identified as having major flaws, we can rightly ask ourselves if it changes anything.

It is also up to the community to regulate itself and you can, if you identify flaws on free modules, inform the developer, directly or through the topic concerning his module, so that he makes the corrections, while indicating that the current links to the module file be removed, if these corrections are not shared, you can report the topic so that it is deleted and thus reassure the community members.

The outright ban, as you advocate and as you have implemented, will not help the development of PrestaShop or its community.

I've stated my reasons why I recommend removing free modules from forum.  So stop headline reacting and read  the details.  You want to debate me on those I'm happy to  oblige.   

Honestly PrestaShop should close the forum...they don't even keep it up, oh I'm sure the French forum is well policed...and sometime those police come over to English side to troll, i.e. ask question that has already been stated.

  • Like 1
Link to comment
Share on other sites

il y a une heure, PrestaHeroes USA a dit :

I've stated my reasons why I recommend removing free modules from forum.  So stop headline reacting and read  the details.  You want to debate me on those I'm happy to  oblige.   

Honestly PrestaShop should close the forum...they don't even keep it up, oh I'm sure the French forum is well policed...and sometime those police come over to English side to troll, i.e. ask question that has already been stated.

You don't debate, you simply suppress what you consider to be a problem.
That a free module is not perfect bothers me much less than the thousands of copies of modules doing the same thing, or that paid modules are so poorly developed and insecure, or that themes are filled with modules without receiving the same control constraints, and so on.
You criticize the French, but surprisingly, it is still this community that offers real community solutions to security problems in its universe, and of course for free.
So I still think that by accompanying the good will to make free modules available can be a benefit for the whole community.

  • Like 3
Link to comment
Share on other sites

  • 4 months later...

Great job! There is a lot of work to do. Almost every module i´ve seen since 10 years ago, free and paid, contains huge vulnerabilities and suppose a huge risk. I hope new prestashop versions include static analysis tools at least for module validators or included within module instalation tools.

Link to comment
Share on other sites

  • 3 months later...
  • 2 weeks later...
  • 4 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...