Since this January 2, 2020, the Prestashop team has detected a major security breach classified as CRITICAL within its files and that is affecting several versions of Prestashop and several modules.
The vulnerability is present in a PHP tool called PHPUnit and is exploited by Malware called XsamXadoo Bot. This Malware via the PHPUnit tool gets access to the store and takes control of it causing irreversible damage to the businesses of all users who have a store with this vulnerability.
What is PHPUnit?
This tool is a Framework that is used for unit testing in application developments. Although its use is not common in Prestashop nor is it modules, there are Prestashop modules developed by third parties that do use this Framework. That is why the scope of this security breach can be quite wide.
What is the way to proceed from Malware XamXadoo Bot?
The way to proceed from this Malware is basically to get access to the store through the vulnerable code of the PHPUnit tool and the subsequent insertion of some files with malicious code into the store directory. The code inside these files allow you to take control of the store so you can steal more data.
At the moment it is known that the files created by the Malware are as follows:
You should know that if store is vulnerable it doesn’t mean it’s infected. But if the Malware attacks the store, then it will get access and therefore infect it with malicious code via the mentioned files.
The Prestashop team has reported that the vulnerability is found in the following modules developed by them:
- 1-Click Upgrade (autoupgrade): Beta version 4.0 and later.
- Cartabandonment Pro (pscartpro): version 2.0.1-2.0.2
- Faceted Search (ps_facetedsearch): version 2.2.1-3.0.0
- Merchant Expertise (gamification): version 2.1.0 and later
- PrestaShop Checkout (ps_checkout): version 1.0.8-1.0.9
They were able to fix the problem and have updated these modules to the following versions:
- 1-Click upgrade: version 4.10.1
- Cart Abandonment Pro: version 2.0.10
- Faceted Search: version 3.4.1
- Merchant Expertise: version 2.3.2
- PrestaShop Checkout: version 1.2.9
IMPORTANT: This list is only one of the modules developed by Prestashop that have detected that they have the vulnerability with PHPUnit. However, as we discussed earlier, there may be many more modules developed by third parties that also have the vulnerability.
For more information about this critical issue, click the following links:
National Vulnerability Database CVE-2017-9841
How to check and fix the vulnerability with PHPUnit
The steps to know if your online store is vulnerable to this Malware are not complicated but require some knowledge in the management of FTP (File Transfer Protocol) software or access to the file systems of the server through the web hosting panel , in addition to having time to check folder by folder.
Here’s how to perform the check:
First you have to find the vulnerability. This is inside the /vendor/phpunit/directories. It can be found in the store root directory or inside module folders.
Go to the root folder of the store and check if the “phpunit” folder exists inside the /vendor/phpunit/directory. If the “phpunit” folder exists, you should delete it along with all its contents.
Go to the“modules” folder of the store and check in each of the modules if the “vendor” folder exists and if inside this folder is the folder “phpunit”. If the “phpunit” folder exists, you’ll also need to delete it along with all its contents.
If the directory doesn’t exist /vendor/phpunit/ in the root directory or modules, then your Prestashop is not vulnerable to Malware XsamXadoo Bot. But if in the previous steps you have found “phpunit” folders it means that your store has been vulnerable to Malware attack, so it is possible that your store is already infected. In this case you would need to scan folder by folder throughout the store directory for the malicious code files mentioned above.
This is the most complicated task and requires an automated process only available in modules that are designed to solve this problem.
At Liewebs we have developed a very simple module to handle, PRESTASHOP STOP VULNERABILITY.
The module automatically analyzes, detects and corrects if there is this security gap with PHPUnit in your Prestashop store and in the modules you have installed. Furthermore if the store has been infected with the malicious code, the Prestashop Stop Vulnerability module is able to search and find the infected files to remove them automatically.