IMPORTANT NOTICE: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.
We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.
Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.
Should you discover any vulnerabilities, please report them to us at: report[@]security-presta.org or visit https://security-presta.org for more information.
Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.
Backoffices's compromised links
CWE-89 (SQL Injection) on PrestaShop can force a super admin creation without difficulty. If your Prestashop suffer of a known backoffice’s link (see list below), the attacker can use the “Forgotten password” functionnality after the creation of the super admin user by SQL Injection and then, will be able to connect to the Shop’s backoffice.
Be warned that your random table’s prefix is completely useless against blackhats with senior DBA skill because of a design vulnerability in DBMS.
This logical weakness is shared by most popular CMS which prioritize accessibility to the detriment of security. No blame, it’s a non-resolvable conjunctural antagonism due to CMS’s target.
Security is constraint. The lower the constraint, the more accessibility but the lower the security.
Why my backoffice link is known ?
As far as we know, we highly suspect S2 2022’s attack campaign which exploit appagebuilder and stripejs vulnerabilities to be the source of this list.
What to do if my backoffice link is listed below ?
You should update it without delay else, if you are not under WAF and if one of your module suffer of a CWE-89, you maximize your risks of being hacked.
You should also consider to put your backoffice under IP constraint.
List of known backoffices’s links
Last refresh date : 2023-03-02
For readability reasons, we have removed from this list this pattern : admin[0-9]{1,4}, but keep in mind that this is actively scanned too. There is still some common predictable patterns in the list below but the majority is not predictable - if your backoffice’s link is inside, consider at 95% that you have been hacked or will be in a near futur.
/04dkwm8civzi0z6z/
/0az87bktydagoexf/
/0yvkfveen5kay8st/
/1Ad7eA22sB/
/1q2w3e/
/2691admin/
/26admin2045/
/2yinflvcpot4mopj/
/2zfvuvceq4qquflr/
/321admin/
/3hztlj2eybnwypjf/
/44626783/
/4admin/
/4dm1nP4r4gu4y/
/5kpvpn1v3pds5pck/
/5oydqwoorxkmdz8r/
/5svpuvhgsnqjgd98/
/6admin-R375/
/6btt7v0drycb9o9u/
/7a3vvlthi90s7vcc/
/7fhlvfztecutyxst/
/7kur1oqlgfzlhv8w/
/7u7qgep2k69uwvm9/
/8bjMmV4G9/
/8bthj2agfuookrdr/
/8dm1nTex/
/8mba8wfyzz4feuwr/
/8rum7vjsrqcfu9ye/
/8s5rip4gi94gsahl/
/8tpivnvag5gq4vdd/
/8xe2lkoee1idbj0q/
/9a9zm4gw3szlmx8u/
/9azcyxvuv0wlvpft/
/9iywdp8q3fwuzef7/
/9klesfetmk0dzovq/
/aagxgfebyc62fwm8/
/aaxD34Tamp/
/abrx9aovtduco9bt/
/accesadministration/
/acceso-gestion/
/acer342/
/acp32/
/ad123/
/add/
/adenrele/
/adhava35/
/adk3-91nvjkwp/
/adliterie99hoteliere/
/adm/
/adm06/
/adm1r3r/
/adm20/
/adm_23SAkv9/
/adm81/
/admicon/
/admimm/
/_admin/
/admin@@@/
/admin002/
/admin005hudmhi/
/admin007/
/admin007007/
/admin01/
/admin015/
/admin019/
/admin061211/
/admin062015/
/admin067/
/admin083/
/admin099/
/admin108iwxxmz/
/admin11071995/
/admin1120NK/
/admin1120WS/
/admin12@12/
/admin123pl/
/admin12kf6n9/
/admin17127217/
/admin1975am/
/admin202088/
/admin2020yupi/
/admin20211/
/admin20gkmdv5651v/
/admin22543_SPZRLX/
/admin241jfrwvv/
/admin280121/
/admin30!!/
/admin32470!/
/admin-32812/
/admin_33/
/admin353PV/
/admin3apadan64jsyksn/
/admin3oib/
/admin436ucosr8/
/admin4dg324s/
/admin551kzysns/
/admin646cemtr/
/admin6df5gh1d3f51hd35fh1/
/admin769b7/
/admin771jvfphi/
/admin7823sdrferk/
/admin-789h6vmpg/
/admin78amir/
/admin832vdx2k3/
/admin873pngy9/
/admin88nikand9spw19n/
/admin88sacaly/
/admin996Pel/
/admin_abn/
/admin_adrefzw/
/adminaeF3qu/
/adminagrifer/
/adminahlkjsdh6jhgdsa82987jhgsd863sdgk9872gd78iugaf27/
/adminaj/
/adminakshopgr/
/admin_alma/
/adminANALITICAMENTE/
/adminanmapet/
/adminanzalo/
/adminaqua/
/adminarion/
/adminarke/
/admin_arredamenti/
/admin_ars/
/admin_art4sense/
/adminas/
/adminasn123/
/adminavto7605/
/admin-aw/
/adminb4M7l7G963/
/adminbamb1n1/
/adminbeallure/
/adminben/
/adminbh/
/adminbiuromix/
/adminbls05/
/adminBMLb4M7l7G/
/admin-bnidark1168/
/adminbodinettezd/
/adminboessa/
/adminbooband/
/adminbp/
/adminbuv/
/admincagnazzo/
/admincarlton5984/
/admincasar/
/admincasual7605/
/admincbd/
/admincc/
/adminCDB/
/admincdm/
/adminCH/
/admin_charlette/
/admin-cityfashion/
/admincJHgjhlkjHldFGd78jhkg5463ghhghKfyitFJHfg/
/adminCliChef/
/adminclubaventura/
/admin_cmtshop/
/admincoco/
/admin_collect454545/
/adminconfort/
/AdminConPdeParty/
/admincontrol/
/admin_control2020/
/admincosme/
/admin_cosval/
/admin_cp/
/admincp/
/admincp-under/
/admindami/
/admindapro/
/admindavid/
/admindekor/
/admin-dev/
/admindev/
/adminDEV/
/adminDG0420/
/admin_diaxiristiko/
/admindiceglie/
/admindichio/
/admin-dm/
/admin-dps/
/adminds/
/admin-duduligzdas/
/admine/
/admin_ecigloo/
/adminelli/
/admin-eloaove/
/adminEM0220/
/adminEmo/
/adminEntona1982/
/adminEP1119/
/admin-eransa/
/admines123/
/adminevolve/
/adminf/
/adminFacilePrestaShop/
/adminfide/
/adminfinisterre/
/admin-fKSAbJFxYB/
/admin_flickerglass/
/adminflx/
/admin_foessel454545/
/admin_fwc/
/adming5/
/admingajda/
/admin_gas/
/adminGF/
/adminglob/
/admin-gold/
/admin_hair/
/admin-helga/
/admin_hermida/
/admin_hiperfiestas/
/adminhomy/
/adminhot/
/admin_ibrio/
/admin_ideapreziosa/
/admin_IM1020/
/admin-imix/
/admin_imprim454545/
/admin-ina-1/
/admining/
/adminintima/
/admin_intimouno/
/adminiris/
/adminISP/
/administrace/
/administracja/
/administrador/
/administrar/
/administrare/
/administratie/
/administration/
/administration_LBL_1.7.6.8/
/administrator/
/administravimas/
/admin-izi/
/adminJAL/
/adminjunior/
/adminka/
/admin-kambala/
/admin_kamome/
/adminkasia/
/adminkate/
/admin-keyza/
/AdminKonestilochic/
/adminkonik85/
/admin-kreling/
/adminktr/
/adminkurzachata/
/adminkvetiny/
/admin_LA0521/
/adminlab/
/adminLab/
/admin_lacomed/
/adminLav/
/adminleo/
/adminlk/
/admin_locherber/
/adminlogin/
/adminlogin123/
/adminloja/
/adminltk/
/adminluppolo/
/adminlws/
/adminmaisonbosc/
/admin_majida/
/adminmaqueta/
/adminmarkez/
/adminmb/
/adminmdg8792/
/admin-men/
/adminmocla/
/admin_montijo/
/adminmooon/
/admin_mop/
/adminmotha/
/adminMOVIL/
/admin_moyo/
/adminMP/
/adminMR0221/
/adminn/
/adminnalaim/
/admin_naturocare/
/adminnb/
/adminnbxasho/
/admin_new/
/adminnexmoto/
/adminNico/
/adminnj/
/adminNJ/
/adminnoluma/
/adminnumeroventidue/
/admin-official-ic/
/adminoleama/
/adminomar/
/admin_onefit/
/adminontime/
/adminooy5Ke/
/adminorgasmo/
/admin-ovh19/
/adminoyj/
/adminp/
/admin-pageart/
/adminpanel/
/adminpapieromat/
/adminparafar/
/adminparisac/
/adminpb/
/adminpdm/
/adminpensobio/
/adminpere/
/adminPerfumy/
/adminperlau/
/adminPFacial/
/admin_PI0321/
/admin_piccoleghiande/
/adminpippo/
/admin_pixla/
/adminpk/
/adminprensiti/
/admin-pro/
/admin-ps/
/admin_ps/
/adminps/
/adminpsl/
/admin_puntera/
/adminr/
/adminraphael/
/AdminRBL/
/adminrdx/
/admin_rebellerie/
/adminRedpipe/
/adminRep3ljuri2020/
/adminROANJA/
/admin_roma/
/adminRoot/
/adminrosa1974/
/adminrp/
/admin_rsalvador/
/adminrta472bm/
/adminSbike19/
/adminscc/
/adminsessi/
/adminsexami/
/adminShoes/
/admin-shop/
/admin_shop/
/adminshop/
/adminshoucangjie/
/admin-site/
/adminskjdhks9879sdyid876sdyf6sd65sftysdr564sdytsd6547/
/adminsklep/
/adminsmooke/
/admin_solotudonna/
/admin_special/
/adminstock/
/admin-store/
/adminstores/
/adminstyle/
/adminsupplex/
/admint1010/
/admintamas/
/admin_tangamania/
/admintcm/
/admintea/
/admin-ti/
/admin_tiendaonline/
/admin-tiffany-private-access/
/admin_time/
/admintm/
/admin_todoconfi/
/admin_trs/
/admintutu/
/admin_TuVampi/
/admintwenty/
/admin_unocasa/
/admin_urbe/
/adminus/
/adminvalugeecommerce/
/adminvdv/
/admin-viale/
/adminvieux/
/adminvino/
/adminviolfed/
/adminvova2019/
/adminvtvbv1/
/adminwe/
/adminweb/
/adminwgc/
/adminwh/
/adminxato/
/adminxeral/
/adminxl/
/adminy/
/adminyanxuanmall/
/adminyucca/
/adminyyy/
/adminzanimal/
/admin-zone/
/adminzora/
/admin_zsp/
/admn26/
/admorderca/
/Adoze35/
/Adpro35/
/adsibon/
/adumgpnegoyevlss/
/agatadmin/
/agvtejubiyuwkii2/
/aljfaocaad4yesov/
/amjzfccjfpcddy2q/
/amministrazione/
/annodd/
/areariservata/
/artimon/
/aruhaz/
/avataronadmin19/
/ax4gykjzrgo0otny/
/ayth0yifxuxtnwav/
/b2b/
/b4snjrqcfiov4gb6/
/back/
/backend/
/backjuliooo566_67576/
/backoffice/
/Backoffice/
/BackOffice/
/backofficeadmin321/
/backofficehenikma/
/baglokalet/
/baladmin/
/bebe17032021x/
/becad/
/belfabvrp9yqo859/
/bfbz1evs0xb0x8zl/
/bgt8a6c5suc1yhx8/
/bhmkoxx7jrcjlsou/
/bhtgrti33sqakxdn/
/bjnuefpw0wif7xci/
/BL_TNS_Administration/
/bms-admin/
/bo/
/bo_broom_81/
/bocadmin/
/boss/
/botiga/
/bo-val/
/BOzaplecze20/
/bs_admin/
/bsz0xhtttjrb3rzz/
/btctr9yemk7e27q6/
/caansoft.com.admin/
/cabiadmin/
/callishop/
/chezBogaToAdmin/
/citizenadmin/
/cktucecazceyp8gk/
/cmrpfecjv0wzuulp/
/cms/
/cnytadmin/
/connect/
/connexion/
/console-murpharm21/
/contmanager/
/control/
/control6745/
/control7490/
/control7546/
/control8495/
/control8563/
/control9108/
/control9375/
/control9390/
/control9395/
/control9597/
/controle/
/cowpvaojhcoudamq/
/cpanel/
/csiadmin/
/cslc5vkd3s6xoxhj/
/cubittadmin/
/cvmept9op6yljqsw/
/cz6j7gcnzwzjivth/
/d44ffdwz4mnanbks/
/d9u4evuoyuusdhiu/
/dartvader/
/dash/
/dashboard/
/dashboard7856Km_enteryes/
/dashbord/
/datos/
/dbm1k6uxjsb2snxv/
/DC_Store/
/dealadmin/
/dgg7qeq6fsfmuvvq/
/diacon/
/Dizeijhde5482/
/djw8le7lgr6wmeq3/
/@dmin/
/_dmin57/
/dmp8zs3/
/doadmin/
/DrgB14-tTr/
/ds0M1EM2/
/dw-backend/
/dyamond/
/e10xqe60pkw71h55/
/eclisseadmin/
/egv@k7P/
/elboad123/
/elegxos/
/emback19922020/
/emeritaf19922020/
/enei0lbcgeq3zzov/
/eoffice/
/eppsqg3uucw07dn6/
/eraseAdmin/
/eshoped/
/etf8mxz6e9qoxg29/
/eth3hzfacxibah0y/
/evte5baiutamzbm9/
/eye22cnp0rqjbcmp/
/f3rn4nd44r14s0nl1n3/
/f88ngmk7zeeydati/
/fam_admin/
/fanamac_admin/
/farmacialosaltoss21/
/fbkgldmdg29kswdd/
/fcijrtc9iog5zf26/
/ffwxqccdc69ebs9a/
/fhe3rvhrqwvdudod/
/fj3kj6i7jvai1uo5/
/flsltnh6ctxwwtib/
/fuaoaa9wg5dmebcy/
/fwnkhms/
/gerencia/
/gerenciar/
/gestadmin/
/gestao/
/gestaomoda/
/gestion/
/gestion97420/
/gestionclaus/
/gestione/
/gestione1212/
/gestione_giralamoda/
/gestion-horseshop/
/gestionLSAC/
/gestor/
/gesyfar/
/gjjkonp89brbjnla/
/GLOVAL/
/gmcth4we5uxpe33h/
/gohost4u/
/gourmetadminshelf2015/
/grxxq6ww27n1ysem/
/gst/
/gtpanel/
/gyphhw69kzy5qr7v/
/h4zwbbzuwygrf6on/
/haldus/
/hardadmin/
/hitechpoint/
/hkdou3in4cbvjmls/
/hpyadmin/
/Hrundel681/
/htaccessed/
/htko0d1panwxbnaa/
/iadmin/
/ibetjg4wuzsvzgpz/
/idbucdw1fqslmydf/
/iehj3xuelzuchhne/
/ih4sqfvk8gkmu0k2/
/intranet/
/ipuscfvde1hdzcgz/
/ivecftkzpomacowd/
/ivylql5u4cburxw4/
/j5gtolzf0sobgbfq/
/j91rw0lho2qh3ldy/
/jaimecanfa/
/japoadmin2015/
/JbC6jS6Bu3/
/jbkok0sogjlkxjqo/
/jc8j1koihebt892o/
/jesurfe/
/jh6xlfvpqtm7s1va/
/jlqn9sypxk7a0vtw/
/jvh/
/jy7qa3hfwxqowgyh/
/k2nulyrckq1gqaoo/
/k4ozho9eccucecl7/
/k6na7ncqkevp0cw3/
/kckuqa6uwtawfcli/
/kesh_co_883Xez/
/kishanhadmin@2020/
/knotadm/
/Kontrolmappa/
/krjWB2dS99rpFR2X/
/l1rnmzqjs8shy1bw/
/l94ffpzxvcfnskjl/
/lhxypugy4am6qkmn/
/lifinadmin20/
/lmi5d3sp0reewhl7/
/logme/
/logowanie-sklep-admin/
/lr5fwbinldnwbype/
/lsb0xgmue788b5fr/
/ltxuqsmarzelphec/
/lueli_admin_16/
/m8l5ote67keq3d6k/
/manage/
/manager/
/manager_swiss/
/Master/
/@mco_1/
/MDVadminMDV/
/miadmin/
/mitienda/
/mixeri2019/
/mkadmin/
/mksadmin/
/mkt/
/mngmt/
/montel2018/
/mshop/
/muk8dnnrgkjpcdgv/
/myadmin/
/myfs2019admin/
/n1glovesbg/
/n2n95dzmrrg7ngyr/
/nay_nay/
/negozio/
/new2020/
/nimda/
/noshi_boss/
/nwlogin/
/o5fdggcwu7bzhtlu/
/o7g8u2ev0zcc7w3q/
/o80aopsg1gnsflpc/
/office/
/office-101/
/ofmczdq07bwncxte/
/ofmxucfffckvemcj/
/ojp8dorpi742mvcl/
/onqj8bzv2snwqkdi/
/onyva29/
/operaadmin/
/ougycuktrlama9zs/
/oyg0s5xeqv1c0fwz/
/ozpvwgaleuhnighx/
/painel/
/painelqvml/
/paladmin/
/panel/
/panel0101/
/panel0605/
/panel-acceso/
/panelbce/
/paneldecontrol/
/panell/
/panelweb/
/perun/
/petalos/
/pg1pbtnydhmnushj/
/phenomenonadmin/
/picadmin/
/pn_admin/
/pnva1ay0kydbtwbz/
/ppqtfwekxu7zkdeq/
/private/
/ps-admin/
/ps_admin/
/psadmin/
/ps_captain/
/pshopadmin39/
/pv3vdczmd56gvjpx/
/pythgrl4strpuqdn/
/q6jnni3bnl06ypej/
/qaoih3ad4twh7fau/
/qictnomm7lmpbhyn/
/ql0deebgnkd5ibjp/
/qqntqdfhuodkht2x/
/qrfmudz5hd8kkodn/
/qva1gj48jaielici/
/qvwnv6ciachney5b/
/qwerty1/
/r0ey65lwtyntqmwp/
/r1bd2caltscnuxbu/
/rbo/
/rel20/
/rmihcita3frfrvig/
/rmprknism6ys1rik/
/rodgnkpoqo8dlzea/
/Rs52234Adm98PLLLiY/
/rxohn8gokzn9ebwo/
/rzoquqqdfocpowkm/
/sbwshopadmin/
/sdipanel/
/sevetsesomelj/
/sfbingolxrhcq6ih/
/sh0p4dmin/
/shop-admin/
/shoumanegueletpp/
/sitefactory/
/sjnpctwam8elgg9i/
/slvd/
/smak/
/smartadmin/
/sorloni/
/sorloni2050/
/souan-admin/
/speadmin/
/SPLXADMIN/
/staff/
/stats/
/SUDO-SU-/
/superadmin/
/SurAdm12/
/SVgshU8z48Nt/
/sw0fnvoim5ezcyy3/
/swadmin/
/sxmmujkudfcwuxuf/
/t2branndewzh0953/
/t5s25friwhpusb8e/
/t6oqdozfnjhwkc0i/
/tak-entrar/
/tatachu/
/tj7v24swywapu6kc/
/tlccejbpk8beoehy/
/tngrm7vyg7qpeowg/
/TopXXX/
/trastienda/
/tutrastienda/
/txrfeu1wv2bqeiyv/
/u3ty4ganlwicn8gs/
/u6op2oftqq0dmxfy/
/uc71yjdh5ebmoyo3/
/uct8jzppankhqutf/
/ujypgmq3evf82uid/
/upravnik/
/uugvtsphsttsskai/
/uxeradm/
/valdymas15/
/vbkkbjyth/
/vbxxutyoqs6noyxd/
/vdrkfynoqpdri8tp/
/vhfm7iqc5fknnkkd/
/villanueva_van123/
/vjyhrwnoo9gap5no/
/vsexvdechoz8jcal/
/vskgbnjq2aiw2p0d/
/wacms/
/warehouse/
/webgest/
/websystems/
/WellBO/
/wf0fch8oyzkswquj/
/wguliyq2uhe0d7oj/
/wnxeytg7i6tey1bb/
/wo5a19fe7lnsqmxw/
/wqggipdvfxwvqu43/
/wqsopu8swdby3j9a/
/wraj01izoeot9uf3/
/wv55fzaeawabyfoa/
/wwpsadmin/
/wxycvk4buyx9ntiv/
/wziso3n10vvx09w1/
/x3zxmnt2sqpnrgtk/
/xcu3nlgcbhvsa2lm/
/xd9czpcdl4junmpr/
/xdndjzl3c3egboii/
/xgi24yrrmx6hwfo1/
/xksl7kl07douzzqr/
/xlt0fk6itcts3ftj/
/xlxlen0anj1rjzwd/
/xpmf74ge96hacwe7/
/ybw48oi5897klxdj/
/yolatadmin/
/yonetici/
/yonetim/
/yonetimb/
/yqeylsj1muaktwwp/
/yrsbpskm2a1jgmnq/
/ytu8nrbykk0pfbyd/
/ywtiatw32rqjzo7c/
/yxamk9okcrxufhbu/
/yyadmin/
/yzvsrjcif3jihc6i/
/z27x9r8tdh86bgme/
/z3vvmdgzgsmf3gwb/
/Z4NqwpsW/
/zao8ovjegkweje6u/
/zaplecze/
/zarzadzajsklepem/
/zhk2ip36qotsowj4/
/zkeqlsbbejnr16hh/
/zknxpn0g6tw4aj5q/
DISCLAIMER: The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken.
This advisory and patch is licensed under CC BY-SA 4.0
