Jump to content

Prestashop 1.7.5.1 vulnerabilities still present - where do those come from?

heyciao

By heyciao
in Core developers

 Share

Recommended Posts

heyciao Newbie

heyciao

Posted
Posted

Hi everyone,

prestashop 1.7.5.1, php 7.3

I am in the process to migrate to prestashop 8.2 php 8.xx and mysql upgrade.

In the meantime, I have an issue in the website that is still running until the migration is completed.

I have found out that in /img directory appear a PNG image, usually something like GbhdU.png, arriving from nowhere.

And in /classes/controller FrontController.php and Controller.php get injected of some code, a function that is called jscheck($html,$p), where $p, at the end of the story is exactly that image, that in fact is a javascript code encoded base64.

Yes, I have simply opened that png whit notepad and decoded it base64.

And that is fine, I have searched the net, fixed the modules, upgrades, deleted the modules I do not use, I think I have done everything.

Some mysql cleaning too. (changed passwords of course, first thing).

I must say that the site is now really fast, the backend is really fast. That experience forced me to deep cleaning the site and I discovered that Prestashop was not heavy and dramatically slow even in the back end operation because of the old version, old php, old things.

It can run really fast and perform really good. It was a ton of dirty code injected and now clean.

I know how to clean it.

But here is the BIG question:

How it happen that everyday in random hour that PNG image/code appear always in /img and the two files get injected again and again?

I check, go clean it, everything is right, after 8-12 hours, it happen again.

Where this come from? I have asked the logs to see if there is some $post with strange urls, some injections.

I am not able to find the hole, the starting point.

I have compared all the files in all directories. I have updated all the modules.

I have deleted all the phpunits. Installed all the modules that check the vulnerabilities.

It's a bot? It's a trigger coming from some SQL injected in some table?

It would be great to end this journey with the last discover: the origin.

Thanks to anyone would get interested and help.

 

 

 

 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...