Prestashop Module Vulnerability: PHPUnit Dependency

Prestashop module vulnerability has been discovered in prestashop 1.5, prestashop 1.6. and PS 1.7,  related to PHPUnit dependency.  These prestashop versions are affected from a malware called XSAM_XADOO which comes from a vulnerability in phpunit.

The report is found here.

Mainly the known modules possibly containing a security vulnerabilities are:

/modules/autoupgrade/vendor/phpunit

/modules/ps_facetedsearch/vendor/phpunit – if exist, as newer module versions do not have this folder.

/modules/gamification/vendor/phpunit – if exist, as newer module versions do not have this folder.

and third development:

/modules/pscartabandonmentpro/vendor/phpunit

/modules/ps_checkout/vendor/phpunit

To make sure you are safe, please delete all the sub-folders /phpunit/ in the folder modules mentioned.

Background of the prestashop module vulnerability discovery

Sometimes on Thursday, January 2, 2020, a customer reported to prestashop team that its shop has been compromised by a malware named XsamXadoo Bot. The bot, according to the report,

was able to upload some malware files into the shop which allowed him to access and control several shop settings.

So, if you suspect that some files have been uploaded to your server without you knowing it. Or that some files you are not familiar of are in your prestashop core files. Perhaps that is a good time to check if your prestashop shop is compromised.

After some research, the Prestashop developers believe that the bot was able to upload those malware using a known vulnerability in the PHP tool PHPUnit that has been reported as CVE-2017-9841.

CVE-2017-9841 is a code injection vulnerability in PHPUnit. Several open-source systems like Drupal, Laravel framework, and WordPress has been victimized by the Remote Code Execution of CVE-2017-9841.

PHPUnit is a programmer-oriented testing framework for PHP. PHPUnit 4.x versions before 4.8.28 and 5.x versions before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a substring. This vulnerability is exploitable only if the /vendor folder is publicly accessible.

Source

PHPUnit is used as a tool to build prestashop module

PHPUnit is used as a tool to build prestashop modules, but it should only be used on a developer computer. So it is very unlikely the vulnerable files will be found on a server and make the server vulnerable.

Unlikely but not impossible. These files have wrongly been added into some prestashop module ZIP archives. If a shop has downloaded one of these compromised archives, and has not deleted it since, then the shop is now vulnerable.

The Prestashop team has confirmed that there are multiple shops running that are vulnerable right now (= can be attacked at any time) and multiple shops running that are already compromised.

How to find if my shop is vulnerable

If you think your shop has been compromised, please look into the modules/ directory of your shop, and for each module in this directory, check whether it contains a directory “vendor” and inside this “vendor” directory, there is another directory with name “phpunit”.

If one module contains this vendor/phpunit directory, this module might make you vulnerable and allow an outside attacker to upload malware files into your shop.

How to protect my shop if a module makes it vulnerable

If you have found than one module on your shop contains the vendor/phpunit directory, you can simply delete the vendor/phpunit directory. It is not necessary for the module correct behavior. This simple step will protect your shop from this vulnerability.

On a Linux server, the cleanup procedure to fix a vulnerable shop can be performed using the following bash command line from the modules/ folder from the shop:

find . -type d -name “phpunit” -exec rm -rf {} \;

NOTE: This command requires the relevant user rights.

However you must also check whether, while your shop was vulnerable, it has been compromised.

What can the attacker do to my shop?

This vulnerability allows an attacker to execute PHP code on your shop. This means that an attacker can,

  1. read the content of your database to steal data
  2. upload files on your server
  3. modify files on your server

Once your data is stolen, there is no way you can retrieved it back and there is no reliable way to check whether your data has been stolen. However you should be able to find out whether some files have been added or modified.

What has been done about this vulnerability

Prestashop team is still researching module archives to track whether or not they contain the vendor/phpunit vulnerable directory. They said,

We will remove or patch all archives which contain this vulnerable directory, then communicate the list of the vulnerable module versions and how to protect shops.

List of vulnerable archives

They have found that the following ZIP archives contained the vulnerable files:

https://github.com/PrestaShop/autoupgrade/releases/download/v4.3.0/autoupgrade-v4.3.0.zip
https://github.com/PrestaShop/autoupgrade/releases/download/v4.2.0-beta.1/autoupgrade-v4.2.0-beta.1.zip
https://github.com/PrestaShop/autoupgrade/releases/download/v4.1.1/autoupgrade-4.1.1.zip
https://github.com/PrestaShop/autoupgrade/releases/download/v4.1.0/autoupgrade-v4.1.0.zip
https://github.com/PrestaShop/autoupgrade/releases/download/v4.1.0-beta.2/autoupgrade-v4.1.0-beta.2.zip
https://github.com/PrestaShop/autoupgrade/releases/download/v4.1.0-beta.1/autoupgrade-v4.1.0-beta.1.zip
https://github.com/PrestaShop/autoupgrade/releases/download/v4.0.0/autoupgrade-v4.0.0.zip
https://github.com/PrestaShop/autoupgrade/releases/download/v4.0.0-beta.4/autoupgrade-v4.0.0-beta.5.zip
https://github.com/PrestaShop/autoupgrade/releases/download/v4.0.0-beta.4/autoupgrade-v4.0.0-beta.4.zip
https://github.com/PrestaShop/autoupgrade/releases/download/v4.0.0-beta.3/autoupgrade-v4.0.0-beta.3.zip
https://github.com/PrestaShop/autoupgrade/releases/download/v4.0.0-beta.2/autoupgrade-v4.0.0-beta.2.zip
https://github.com/PrestaShop/autoupgrade/releases/download/v4.0.0-beta.1/autoupgrade-v4.0.0-beta.1.zip

All these packages have been deleted from GitHub.

Distributed through PrestaShop API

Modules released with vulnerable version of PHPUnit:

– module pscartabandonmentpro ; versions v2.0.1 and 2.0.2 (PHPUnit v4.8.36)
– module ps_facetedsearch ; version v2.2.1 (PHPUnit v5.0.9)

Modules released with recent version of PHPUnit:
– module ps_checkout ; versions v1.0.8 & v1.0.9 (PHPUnit v5.7.27)
– module ps_facetedsearch ; version v3.0.0 (PHPUnit v5.7.27)
– module autoupgrade ; versions 4.x (PHPUnit v5.7.27)

Currently unknown status:
– module gamification – the versions are being searched

If we find additional vulnerable archives, we will add them to this list.

Full investigation of the report from Prestashop about this vulnerability can be read here.

What can you do if your shop is compromised?

  1. An immediate remedy is to upgrade to the latest version of PHPUnit. This issue was fixed in PHPUnit 7.5.19 and 8.5.1. So after the command has been run and the vulnerable directories removed, be careful about installing new modules on the server and ensure that they don’t contain the exploitable version of phpunit.
  2. Find and Delete the directory name /phpunit.

As of this posting, this is all the information that is available and the recommended remedy for this prestashop module vulnerability.

Additional resource for your ecommerce shop security;

Secure Your Ecommerce Store This Holidays With These Simple Tips

The No. 1 Ecommerce Business Problem You Should Take Care Of this new year

Will Your Ecommerce Platform Survive A Cyberattack?

Contact us if you need help with ecommerce shop security by using the contact us link above or use the comment section to let us know!

COMMENT ON POSTS