SEE IN THIS LINK !!!
https://docs.google.com/document/d/...LDEsC2298Go-as/preview#heading=h.gf3dlvo92l81
Background
Thursday 2nd of January 2020, a customer reported that its shop has been compromised by a malware named XsamXadoo Bot. The bot was able to upload some malware files into the shop which allowed him to access and control several shop settings.
After some research, we believe that the bot was able to upload those malware using a known vulnerability of the PHP tool PHPUnit that has been reported as CVE-2017-9841.
See https://nvd.nist.gov/vuln/detail/CVE-2017-9841
PHPUnit is a tool we use to build prestashop modules, but it should only be used on a developer computer. So it is very unlikely the vulnerable files will be found on a server and make the server vulnerable.
Unlikely but not impossible. These files have wrongly been added into some prestashop module ZIP archives. If a shop has downloaded one of these compromised archives, and has not deleted it since, then the shop is now vulnerable.
We can confirm that there are multiple shops running that are vulnerable right now (= can be attacked at any time) and multiple shops running that are already compromised.
Grettings.
https://docs.google.com/document/d/...LDEsC2298Go-as/preview#heading=h.gf3dlvo92l81
Background
Thursday 2nd of January 2020, a customer reported that its shop has been compromised by a malware named XsamXadoo Bot. The bot was able to upload some malware files into the shop which allowed him to access and control several shop settings.
After some research, we believe that the bot was able to upload those malware using a known vulnerability of the PHP tool PHPUnit that has been reported as CVE-2017-9841.
See https://nvd.nist.gov/vuln/detail/CVE-2017-9841
PHPUnit is a tool we use to build prestashop modules, but it should only be used on a developer computer. So it is very unlikely the vulnerable files will be found on a server and make the server vulnerable.
Unlikely but not impossible. These files have wrongly been added into some prestashop module ZIP archives. If a shop has downloaded one of these compromised archives, and has not deleted it since, then the shop is now vulnerable.
We can confirm that there are multiple shops running that are vulnerable right now (= can be attacked at any time) and multiple shops running that are already compromised.
Grettings.
