PrestaShop PHPUnit vulnerability on modules

Situation

Since the beginning of the year 2020 and the feedback of a PrestaShop user, it seems that a vulnerability may exist on some PrestaShop modules mainly on the version 1.7 of PrestaShop.

It appears that the flaw used is related to the unit tests proposed by the PHPUnit solution and referenced under the number CVE-2017-9841.

This tool, present during the development of PrestaShop modules, is normally removed from the module archive when it is released, but it seems that this is not done by PrestaShop every time.

PrestaShop addresses the subject in this document.

Solution

To prevent this, you need to clean all the modules that may have these files in their code. To do this, simply delete them using this function on your hosting's SSH access terminal

find . -type d -name "phpunit" -exec rm -rf {} \;

Before launching this delete action, I like to know what is going to be deleted to avoid mistakes, so you can launch this first

find . -type d -name "phpunit"

Of course, in addition to deleting PHPUnit files, it is necessary to check the set of files present on your PrestaShop installation to identify malicious files that may interfere with the normal operation of your store.

If you don't know how to do it, you can order an intervention ticket on my website so that I can intervene quickly for you.
Order an intervention