Jump to content
Argon2

Somebody sending out spam using the send to a friend module

Recommended Posts

I have a hacker who is sending out spam using the "send to a friend" module.

Somehow he is also inserting a spam message in the "send to a friend" mails

 

So there must be a security hole in that module...

 

Example IIS log:

2016-06-26 10:26:21 W3SVC26 <MY.WEBSERVER.IP.HERE> POST /modules/sendtoafriend/sendtoafriend_ajax.php rand=1466666329816 80 - 112.198.79.231 Mozilla/4.0+(compatible;+MSIE+9.0;+Windows+NT+6.1) http://www.websiteurl.com/modules/sendtoafriend/sendtoafriend_ajax.php?rand=1466666329816 200 0 0 513 1179 1812

 

What do I do? 

 

I already blocked his IP address on the firewall, but that doesn't solve the security issue in the send to a friend module...

 

Thanks.

Kris.

 

Update:
Renaming the php files (to .bak) of the "send to a friend" module has effectively stopped the spam being sent. 

Disabling and uninstalling that module using the prestashop backend was not sufficient!!! The module files remain on the webserver even after uninstalling the module in the backend.

So I can now confirm with certainty that the "send to a friend" module has some kind of security issue that enables the sending of spam.

Edited by Argon2

Share this post


Link to post
Share on other sites

Do you know of an alternative "send to a friend" module for prestashop?

I did a search in the modules section on the prestashop website, but couldn't find an alternative.

 

My client would like to keep offering this feature on his webshop, but of course he doesn't want to be sending out spam :)

 

Thank you.

Kind regards.

Kris

Share this post


Link to post
Share on other sites

As another victim of this exploit, I can say the lack of a CAPTCHA is an inexcusable omission, but is not even the primary issue here.  The fact that a faulty module that ships with PrestaShop can be disabled and even uninstalled, yet the code is still directly executable from the modules directory is a major security concern and should be treated as such.

 

In the meantime, all Prestashop users should remove or rename the "modules/sendtoafriend" directory if the module has ever been active.

Share this post


Link to post
Share on other sites

Hi

Of course where will be found security holes in a large system like prestashop , BUT is where no where a security bulletin / mail list with warnings about security flaws 

 

I can't sit and read all new forum post just to keep my customers prestashop clean from security holes

Share this post


Link to post
Share on other sites

As mdekker already told: If you see on your back-office on modules list updates, you should consider to update them !

 

Prestashop only announces on the forum patches for severe security flaws, but not minor one without priorities for modules in use for ex.

Share this post


Link to post
Share on other sites

Yes i just checked a 1.6 installation and your are right on module list update where was a update for the module (installed v1.8) updated to v 1.9 , no change log or note on the update for what the update is doing , is 1.9 free of the hole ?

 

But as you sure know not all users of Prestashop is looking for modules update, and are not very technical and do not get the modules updated , many of when hire a developer to do things like install modules 

 

I am one of whose developers/freelancer now i would be very nice if i could monitor a list with severe and minor security flaws , not just as a service for the customer but allso in the light of what if we get holes closed on as many prestashop installations as possibly in a very short time , the more hackers are looking else where for where dirty work 

 

I know Prestashop is a open source and i am will happy contribute to creation of a list like what

 

If where is no interest in such a list on prestashop.com i  would like to here from other what wants a list only with news about severe and minor security flaws out of prestashop community i will donate a server for the purpose and allso a spare time developer

Edited by ibser

Share this post


Link to post
Share on other sites

Sorry, but there are official sites (like secunia.com) which handles this. I don't think there is a need to schock/startle/overtax others with such "list". Besides as also you said: "I can't sit and read all new forum post just to keep my customers prestashop clean from security holes". Don't hink that if it is not on official site of Prestashop nobody will care or take a look into that on non-official sites....

 

BUT on your own site, you can make public what you want for YOUR CUSTOMERS....

 

There are several developers (like me) using their own sites for tips and tricks and informing about Prestashop development. You can for ex. start one for your customers, if you feel that they are more confident on your services...

Share this post


Link to post
Share on other sites

I think we misunderstand each other , i was asking for  this <Sorry, but there are official sites which handles this >

 

BTW your attitude is not very friendly , maybe its just me reading you wrong , but i settle my case here on this forum

Share this post


Link to post
Share on other sites

@ ibser - We should make it short: there must be a reason why Prestashop does not put a priority to this. I tried to explain the reasons for you, from my point of view. Nevertheless if you feel that there is a lack of information on this for the customers YOU are supporting, you are free to inform what you want on your own page. This is what I'm doing and other developers too....

 

It was only and advice how YOU can manage this point better, not a critic and also not to be "unfriendly"... Forums are there for to discuss several point of views, or not ? To learn from others ?

 

As you know, it is a task of each oneself using software (paid or OS) to keep it actual for to avoid possible security flaws... Neither Microsoft, or other big software will inform you about security problems. They simply send you info, that there is a upgrade available. This is also what Prestashop is doing....

Share this post


Link to post
Share on other sites
Hi.

 

I had the same problem with the module sendtoafriend.

 

First I was advised that there was a module being used to spam. Locate the module sendtoafriend and eliminated.

 

Yet the administration took too long to load and did not understand why. In the logs still calls are appearing:

 

POST /modules/sendtoafriend/sendtoafriend_ajax.php?rand=1468311826965

 

Review the directories and were still being remains of sendtoafriend and eliminated.

 

Even in the log are still appearing calls me to:

 

POST /modules/sendtoafriend/sendtoafriend_ajax.php?rand=1468311826965

 

Anyone know how to stop this nightmare.

 

Thank you.

Share this post


Link to post
Share on other sites

Hi dpb-andorra

When uninstall the module from the admin backend it is still located on the disk '

 

My solution was to uninstall from admin backend and ftp or what you use and delete the module total from the system (dir and files)

Share this post


Link to post
Share on other sites

Secure the module with a captcha: https://github.com/firstred/mpsendtoafriend/releases

 

No captcha response = no processing, so that saves your server some processing power.

 

You can also protect the product reviews module if you like: https://github.com/firstred/mpproductcomments/releases

 

Hi -

 

I am kind of a bull in a china shop when it comes to tech administration.

 

I downloaded the firs zip file you had in this link, under 1.1.2:

https://github.com/firstred/mpsendtoafriend/releases

 

Then I tried to add the module to my prestashop installation acp.  Got an error.

 

I tried again, after reenabling the send a link module.  This time it added the module.  Then I installed the module.  Now there are two modules - see the attached prinstcreen.  Do I need to uninstall the old one?

 

post-395516-0-06240400-1470308740_thumb.png

 

Thanks,

Brian

Share this post


Link to post
Share on other sites

Had the same issue last night.

 

update "Send to a friend" module from back office not spam stoped

 

unistall module and not spam stoped

 

delete "Send to a friend" module also not spam stoped

 

what is that solution?

it seems not related from that module

Share this post


Link to post
Share on other sites

we have issues with newsletter module....this we could tell from returned emails...still have not had time to sort it out...but stopped after disabling newsletter.

Share this post


Link to post
Share on other sites

I have a hacker who is sending out spam using the "send to a friend" module.

Somehow he is also inserting a spam message in the "send to a friend" mails

 

So there must be a security hole in that module...

 

Example IIS log:

2016-06-26 10:26:21 W3SVC26 <MY.WEBSERVER.IP.HERE> POST /modules/sendtoafriend/sendtoafriend_ajax.php rand=1466666329816 80 - 112.198.79.231 Mozilla/4.0+(compatible;+MSIE+9.0;+Windows+NT+6.1) http://www.websiteurl.com/modules/sendtoafriend/sendtoafriend_ajax.php?rand=1466666329816 200 0 0 513 1179 1812

 

What do I do? 

 

I already blocked his IP address on the firewall, but that doesn't solve the security issue in the send to a friend module...

 

Thanks.

Kris.

 

Update:

Renaming the php files (to .bak) of the "send to a friend" module has effectively stopped the spam being sent. 

Disabling and uninstalling that module using the prestashop backend was not sufficient!!! The module files remain on the webserver even after uninstalling the module in the backend.

So I can now confirm with certainty that the "send to a friend" module has some kind of security issue that enables the sending of spam.

Hi where i can see this logs? Thx alot!

Jon

Share this post


Link to post
Share on other sites

Hi where i can see this logs? Thx alot!

Jon

As written before: IIS logs - so server logs.In this case it is a Windows server (IIS) but also on Linux servers you can read logs, if you have access to them. Ask your hosting provider, where and if you can access the logs.

Share this post


Link to post
Share on other sites

Does anyone knows if this is fixed in 1.7? I cannot see the module there.

 

Hence it is fixed. The backdoor is not related to the core but to the module it-self, no module, no backdoor

Share this post


Link to post
Share on other sites

Hence it is fixed. The backdoor is not related to the core but to the module it-self, no module, no backdoor

Good to hear, thanks!

Share this post


Link to post
Share on other sites

Purge your mail server queue entirely, analyse your logs, find the true channel they use to spam, identify the backdoors, identify the breach used to implement the new set of backdoor, close both and perform a full code review for yet undiscovered backdoor.

Change your superadmin access (most your access credential could have been leaked btw)

Time consuming, boring, but no other choice.

Worst, if you don't do that you will probably migrate on update the code they use to sneak inside your system.

 

PS: The module is sendtoafriend, not newsletter !!

Edited by doekia

Share this post


Link to post
Share on other sites

PS: The module is sendtoafriend, not newsletter !!

 

 

i update all of thease module but not stop

i unistall sendtoafriend module before but not stop

i unistall newsletter module but not stop

Share this post


Link to post
Share on other sites

assuming they use the regular contact form, u need to implement some captcha or the like.

If captcha is override based you should be immediatly set.

If it is a submit button hijack, you need to implement the correct RewriteRule to prevent sending to the "legacy" controller

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×

Important Information

Cookies ensure the smooth running of our services. Using these, you accept the use of cookies. Learn More