Krystian Podemski

I feel there are a few points that have to be raised. Please consider this my personal comment, not a statement from PrestaShop SA. First of all: I heard about such an attack in the community, where the victim never contacted PrestaShop SA for support. The attack was also a direct login to the back office. This is to debunk the theory that 100% PrestaShop Support credentials were leaked. If you think that's the case, instead of making public accusations here on the forum, the evidence should be shared with the proper authorities. I must say making such public accusations is bold. Information about 21 million marketplace accounts stolen? It's hard to even comment on that. Think about 250.000 stores PrestaShop has across the globe, and then try to map it to the alleged 21.000.000 accounts on the Marketplace. Of course, such a database may leak directly from merchants' PrestaShop instances: most of the time, because of third-party module vulnerability. It's a thing the community is dealing with, not only in the PrestaShop world but also on other platforms. That's why it's important to follow security best practices that are often mentioned. Security is a shared responsibility. Attackers regularly scan PrestaShop websites, especially those that have historically been vulnerable to SQL injection. Addresses to the back office are often shared with databases on the dark web, and such stores are scanned even after the original SQLi vulnerability is fixed... This is a normal recommendation. As someone experienced in this ecosystem and in open source, I can tell you that if your store has ever been hacked, you have to check everything. I've seen attacks where backdoors were left on the server with SSH access, and others where the crontab was modified to keep a backdoor available for an attacker. If your server allows running `exec` commands, then the attacker can also sometimes create an FTP account. Not to say that there's always a human factor: those who create such credentials could've been hacked as well. It's all speculation. Again, that would be speculation. As stated above in the official PrestaShop SA response, PrestaShop SA does not publicly speculate on security matters, and hence, the company did not comment on that. All the security advisories are available here. Full transparency. There is also a great initiative by Friends of Presta, which maintains this website: https://security.friendsofpresta.org/ While I cannot give you the reasons A, B, C, D, etc., I can tell you that, in my opinion, it appears to be a lack of security hygiene. Some vulnerability that allowed credentials to be retrieved. Outdated, vulnerable module? Weak BO URL/password combination? Historical SQLi? Speculation. I can tell you that PrestaShop SA chose to communicate because, based on the information available, it was the responsible approach. There was a growing trend on a day-to-day basis since the end of the previous week before the communication. I will not comment further on this matter, even privately. Please, let’s keep the discussion in this thread respectful. I believe one of the users slightly overreacted... There are established processes and authorities within EU countries that deal with such issues. Making public accusations will not help. I can promise you that I will make every effort to ensure that any future communication is more precise. Wishing everyone a great day.

Hello everyone, We would like to state clearly that there has been no data breach, hacking incident, or any security compromise related to the PrestaShop Marketplace, the Help Center system, or any other PrestaShop services or products. If there had been any confirmed security incident or data breach, PrestaShop SA would have taken all necessary and legally required actions, including appropriate communication. Transparency and compliance are fundamental to how we operate. We did not engage earlier in this thread because we do not publicly speculate about security matters. Some of the theories shared here are not aligned with the facts and have been presented in a way that suggests conclusions that are not supported by the evidence. For example: no developer blog post was published because no vulnerability was identified and no code changes were required. The page with all the publicly available findings is here in the Help Center. The security of our merchants and ecosystem remains a top priority. We won’t comment on that matter any further.

Jasne, zrobisz jak uważasz. Dodam jedynie, że chociaż i tak poczyniono postępy dotyczące backup i przywracania to nadal najbezpieczniej jest zrobić manualny backup i manualne przywrócenie, w razie co

Thanks, it would really help if someone could reproduce this issue, enable dev mode and see Network tab and XHR requests, so that it’s possible to know what’s happened. If the error is not reported, ideally with steps to reproduce it, how to expect to fix it? And let me reassure you that it is NOT a global issue. PS Checkout performs well, and such global issue would’ve been disastrous. You may like or not PrestaShop SA solutions, but the team is really responsive and determined to help if there are issues. Regarding PrestaShop 9, we plan to release patch version approximately every 6 weeks. Considering that Update Assistant is a solid choice to update from one version to another, especially for patch versions, that should help with v9 adoption. We are doing our best, also with amazing community members on GitHub, to make PrestaShop 9 a solid foundation.

Wygląda to niestety na problemy z uprawnieniami do plików na Twoim serwerze, a nie na błąd modułu. Gdyby katalog var/cache, var/logs i inne tam miały odpowiednie uprawnienia zapisu, wtedy wszystko byłoby ok.

@El Patron what "Add to cart" issues? 🤔

@att Wersja 9.0.0 miała problem z aktualizacją modułów. Wersja 9.0.1 rozwiązała ten problem. Aktualizacja z 9.0.0 na 9.0.1 nie powinna sprawić problemu, jeśli miałeś jakieś kłopoty byłoby świetnie gdybyś opisał co się stało. Zespół który zajmuje się Update Assistant jest bardzo resposywny i zależy im na rozwiązywaniu jakichś scenariuszów brzegowych, które czasami się po prostu zdarzają.

@Prestashop Addict to add a custom endpoint or to extend an existing one?

Hello! You can use overrides to achieve the result. In the override file, you have to alter the definition of the given ObjectModel.

@nakwada you should contact PrestaShop Checkout support, and definitely not use PHP 8.4 with PrestaShop 8.1 - this PrestaShop version does not support PHP 8.4

Moduł niżej jest jednym z najbardziej znanych jeśli chodzi o realizacje takich promocji: https://addons.prestashop.com/pl/promocje-prezenty/9129-promocje-i-znizki-3x2-znizki-oferty-packs.html

To błąd. Musiałbyś wprowadzić te zmiany: https://github.com/PrestaShop/PrestaShop/pull/39062/files Może istnieć potrzeba ręcznego usunięcia var/cache

Prawdopodobnie masz mało optymalnie skonfigurowane statusy w sklepie. Ostatnim statusem jaki ustawiasz nie jest taki, który ma zamówienie oznaczone jako: - wysłane - opłacone - z fakturą a to jest potrzebne dla PrestaShop do poprawnego liczenia kwot.

Tutaj: https://devdocs.prestashop-project.org/9/modules/concepts/services/#override-the-service

Chodzi o nadpisanie serwisu, a nie jego dekorowanie