Jump to content

Welcome, Guest!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

Theo

[SECURITY] Serious PrestaShop Security Vulnerability and TB?

Recommended Posts

Posted (edited)

Hi

I've received a mail for DH42 about a new PrestaShop Security Vulnerability that affects all versions of PS.
Can you guys please inform us if this applies to TB?

Quote

Friday afternoon we were alerted to a security issue affecting most PrestaShop versions. The issue centers around PrestaShop including PHPUnit in several modules that were either distributed through their API or with installations of PrestaShop. While the security issues are most present in the latest 1.7 versions of PrestaShop, it looks like all versions are affected. 


This is the "more info" doc from PS
https://docs.google.com/document/d/1D76Lj93gw-XZ8GgV8UzK6Oi6u5qLxLDEsC2298Go-as/edit#heading=h.tjhj04l5p8kk

Edited by Theo
  • Like 2

Share this post


Link to post
Share on other sites

When I read the mail I had the same question. What about TB?

Share this post


Link to post
Share on other sites

Thanks for the warning Theo !

For TB security I just went through the module folder on our 1.08 looking for the vendor/phpunit (what is indicated on the google doc).

I didn't find anything, but this shop is very basic with mostly core modules and some 1.6 compatible ones. I still advise you to check the directory. You know, security first 😉

Share this post


Link to post
Share on other sites
Posted (edited)

Ummm. I think the TB admin guys need to reply here pls...
Just doing a quick search on my local TB 1.1.0 install and I'm getting phpunit.xml in multiple locations.

@GotaborTry doing a search just for the file "phpunit.xml" and see if something comes up?

TB admins, some feedback pls? 

Edited by Theo

Share this post


Link to post
Share on other sites
2 hours ago, piet said:
What about TB?

That's pretty simple to answer. According to the document, vulnerable modules are:

  • autoupdater (confirmed)
  • gamification (perhaps)
  • pscartabandonmentpro (third party)
  • ps_facetedsearch (third party)

None of these modules ship with thirty bees.

To find more candidates and confirm a safe state, search for folders with the name 'phpunit'. There should be none and if there is any, delete it with all its content. Code in there is needed for code development, only.

Command line for those who have shell access:

  find . -type d | grep -i phpunit

Run this in the shop's root folder, it should create no output.

  • Like 2
  • Thanks 1

Share this post


Link to post
Share on other sites

@Traumflug Thanks, that's the answer I was waiting for 🙂

 

I will do the check as mentioned and hopefully is wil give no result.

Share this post


Link to post
Share on other sites
Posted (edited)
12 minutes ago, Traumflug said:

To find more candidates and confirm a safe state, search for folders with the name 'phpunit'.

If there are no folders, but the phpunit.xml file comes up?

vendor\greenlion\phpunit.xml
vendor\swiftmailer\phpunit.xml

Edited by Theo

Share this post


Link to post
Share on other sites
Posted (edited)
7 minutes ago, Traumflug said:

XML files aren't executable, so no threat.

Right, obviously. Lol... I think when something like this comes up, it's easy to panic automatically and risk not seeing things 100%.
To quote myself:

Quote

OMG the search found PHPUnit! -> panic -> brain switches off -> survival mode -> just kill it!

😊

Edited by Theo

Share this post


Link to post
Share on other sites

On one of our TB shops checking with FTP I found this - see attachment. Can these files be removed safely, without consequences?

Thanks for your reply. 

phpunit.JPG

Share this post


Link to post
Share on other sites
11 minutes ago, Euria said:

On one of our TB shops checking with FTP I found this - see attachment.

Let me repeat:

XML files aren't executable, so no threat.

 

Which means, delete them or don't, it doesn't matter.

Share this post


Link to post
Share on other sites
Posted (edited)

As @Traumflug mentioned, search for a folder with the name phpunit
if you find it, you can delete the phpunit folder and all its content.

Also, I think it's safe to assume that "upgraded PS 1.6 to TB sites" could be at risk here also.

Edited by Theo

Share this post


Link to post
Share on other sites

As @Traumflug mentioned no native thirty bees code is affected by this, unless you are building from scratch and running that in production. If you are, make sure you are not using require dev in composer. 

 

It looks like there is another module that needs to be added to the list of modules with security issues, https://github.com/kuzmany/mautic-prestashop 

Share this post


Link to post
Share on other sites

If anyone is interested in which file exactly to look for its [https://github.com/sebastianbergmann/phpunit/blob/master/src/Util/PHP/eval-stdin.php](https://github.com/sebastianbergmann/phpunit/blob/master/src/Util/PHP/eval-stdin.php)

Which mostly translates to: phpunit/phpunit/src/Util/PHP/eval-stdin.php.

So this file is exact source of evil 🙂 It may be included in 3rd party modules.

Share this post


Link to post
Share on other sites
On 1/6/2020 at 7:58 PM, Theo said:

As @Traumflug mentioned, search for a folder with the name phpunit
if you find it, you can delete the phpunit folder and all its content.

Also, I think it's safe to assume that "upgraded PS 1.6 to TB sites" could be at risk here also.

i would assume that too.. because the modules that have vulnerabilities are not remove during migration to TB.. however, the vulnerability with PHPunit can also be attributed to lower version.. this vulnerability has been fixed in the new releases of phpunit, i read.

 

Share this post


Link to post
Share on other sites
3 hours ago, shoptechmedia said:

the modules that have vulnerabilities are not remove during migration to TB

Since about a year, these do get removed by the migration module.

https://github.com/thirtybees/psonesixmigrator/blob/master/classes/AjaxProcessor.php#L878-L880

  • Like 2
  • Thanks 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...