Modules include the vulnerable dependancy are:

  • 1-Click Upgrade (autoupgrade) from 4.0.0 to 4.10.1
  • Cart Abandonment Pro (pscartabandonmentpro) from 2.0.1 to 2.0.10
  • Faceted Search (ps_facetedsearch) from 2.2.1 to 3.4.1
  • Merchant Expertise (gamification) from 2.1.0 to 2.3.2
  • PrestaShop Checkout (ps_checkout) from 1.0.8 to 1.2.9

In addition, if PrestaShop had been initially installed prior to ~1.7.6.0 with composer in dev mode can contain a critical vulnerability if .htaccess in vendor directory is not set in order to denied access.

Summary

  • CVE ID: CVE-2017-9841
  • Published at: 2020-01-20
  • Advisory source: PrestaShop
  • Platform: PrestaShop
  • Product: PrestaShop
  • Impacted release: ~< 1.7.6.0
  • Product author: PrestaShop
  • Weakness: CWE-94
  • Severity: critical (9.8)

Description

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a “<?php “ substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.

CVSS base metrics

  • Attack vector: network
  • Attack complexity: low
  • Privilege required: none
  • User interaction: none
  • Scope: unchanged
  • Confidentiality: high
  • Integrity: high
  • Availability: high

Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Possible malicious usage

According to PrestaShop team, this vulnerability has been exploited to add a malicious code.

“According to our analysis, most attackers either place new files in the filesystem or modify existing files, like AdminLoginController.php. Here’s a non-exhaustive list of known malicious files that may indicate a compromised shop: XsamXadoo_Bot.php, XsamXadoo_deface.php, 0x666.php, f.php, Xsam_Xadoo.html”

Patch

Delete vulnerables files on your PrestaShop:

find . -type f -name "eval-stdin.php" -exec rm -rf {} \;