[SECURITY] Serious PrestaShop Security Vulnerability and TB?

[Acer]

Hi

I've received a mail for DH42 about a new PrestaShop Security Vulnerability that affects all versions of PS.
Can you guys please inform us if this applies to TB?

Quote

Friday afternoon we were alerted to a security issue affecting most PrestaShop versions. The issue centers around PrestaShop including PHPUnit in several modules that were either distributed through their API or with installations of PrestaShop. While the security issues are most present in the latest 1.7 versions of PrestaShop, it looks like all versions are affected. 

This is the "more info" doc from PS
https://docs.google.com/document/d/1D76Lj93gw-XZ8GgV8UzK6Oi6u5qLxLDEsC2298Go-as/edit#heading=h.tjhj04l5p8kk

Edited January 6, 2020 by Theo

[Euria]

Thanks Theo. Same question from us. 

[piet]

When I read the mail I had the same question. What about TB?

[Gotabor]

Thanks for the warning Theo !

For TB security I just went through the module folder on our 1.08 looking for the vendor/phpunit (what is indicated on the google doc).

I didn't find anything, but this shop is very basic with mostly core modules and some 1.6 compatible ones. I still advise you to check the directory. You know, security first 😉

[Acer]

Ummm. I think the TB admin guys need to reply here pls...
Just doing a quick search on my local TB 1.1.0 install and I'm getting phpunit.xml in multiple locations.

@GotaborTry doing a search just for the file "phpunit.xml" and see if something comes up?

TB admins, some feedback pls? 

Edited January 6, 2020 by Theo

[Traumflug]

2 hours ago, piet said:

What about TB?

That's pretty simple to answer. According to the document, vulnerable modules are:

• autoupdater (confirmed)
• gamification (perhaps)
• pscartabandonmentpro (third party)
• ps_facetedsearch (third party)

None of these modules ship with thirty bees.

To find more candidates and confirm a safe state, search for folders with the name 'phpunit'. There should be none and if there is any, delete it with all its content. Code in there is needed for code development, only.

Command line for those who have shell access:

  find . -type d | grep -i phpunit

Run this in the shop's root folder, it should create no output.

[piet]

@Traumflug Thanks, that's the answer I was waiting for 🙂

 

I will do the check as mentioned and hopefully is wil give no result.

[Acer]

12 minutes ago, Traumflug said:

To find more candidates and confirm a safe state, search for folders with the name 'phpunit'.

If there are no folders, but the phpunit.xml file comes up?

vendor\greenlion\phpunit.xml
vendor\swiftmailer\phpunit.xml

Edited January 6, 2020 by Theo

[Traumflug]

XML files aren't executable, so no threat.

[Acer]

7 minutes ago, Traumflug said:

XML files aren't executable, so no threat.

Right, obviously. Lol... I think when something like this comes up, it's easy to panic automatically and risk not seeing things 100%.
To quote myself:

Quote

OMG the search found PHPUnit! -> panic -> brain switches off -> survival mode -> just kill it!

😊

Edited January 6, 2020 by Theo

[Euria]

On one of our TB shops checking with FTP I found this - see attachment. Can these files be removed safely, without consequences?

Thanks for your reply. 

[Traumflug]

11 minutes ago, Euria said:

On one of our TB shops checking with FTP I found this - see attachment.

Let me repeat:

XML files aren't executable, so no threat.

 

Which means, delete them or don't, it doesn't matter.

[Acer]

As @Traumflug mentioned, search for a folder with the name phpunit
if you find it, you can delete the phpunit folder and all its content.

Also, I think it's safe to assume that "upgraded PS 1.6 to TB sites" could be at risk here also.

Edited January 6, 2020 by Theo

[lesley]

As @Traumflug mentioned no native thirty bees code is affected by this, unless you are building from scratch and running that in production. If you are, make sure you are not using require dev in composer. 

 

It looks like there is another module that needs to be added to the list of modules with security issues, https://github.com/kuzmany/mautic-prestashop 

[Kashir2000]

If anyone is interested in which file exactly to look for its [https://github.com/sebastianbergmann/phpunit/blob/master/src/Util/PHP/eval-stdin.php](https://github.com/sebastianbergmann/phpunit/blob/master/src/Util/PHP/eval-stdin.php)

Which mostly translates to: phpunit/phpunit/src/Util/PHP/eval-stdin.php.

So this file is exact source of evil 🙂 It may be included in 3rd party modules.

[shoptechmedia]

On 1/6/2020 at 7:58 PM, Theo said:

As @Traumflug mentioned, search for a folder with the name phpunit
if you find it, you can delete the phpunit folder and all its content.

Also, I think it's safe to assume that "upgraded PS 1.6 to TB sites" could be at risk here also.

i would assume that too.. because the modules that have vulnerabilities are not remove during migration to TB.. however, the vulnerability with PHPunit can also be attributed to lower version.. this vulnerability has been fixed in the new releases of phpunit, i read.

 

[Traumflug]

3 hours ago, shoptechmedia said:

the modules that have vulnerabilities are not remove during migration to TB

Since about a year, these do get removed by the migration module.

https://github.com/thirtybees/psonesixmigrator/blob/master/classes/AjaxProcessor.php#L878-L880

[Acer]

Thanks @lesley and @Traumflug for the feedback here

And for the original DH42 email (Lesley) 😉