PrestaShop Security Release Announcement
‘At the end of the day, the goals are simple: safety and security’ ~by Jodi Rell.
Prestashop is now aware of the breach of security and has released few options to secure your web store:
- The recent release of Prestashop’s 1.4.x & 1.5.x, 220.127.116.11 versions are safe bets.
- The last version, patch files for each branch are 18.104.22.168, 22.214.171.124 and 126.96.36.199. are not secured.
- The security patch modules that apply the above patch files is an easier format.
- The zip files of the modified files for the 1.4, 1.5, and 1.6 branches too.
It is highly advisable to use the latest version to upgrade your web store and its branches. Specially, the ones of the latest release 188.8.131.52 and 184.108.40.206.
The following content will describe the versions which are affected along with its solutions.
The affected version:
Except for version 220.127.116.11 and Prestashop cloud, all the versions are affected. In short the affected versions are 1.4.x, 1.5.x and 1.6.x up to 18.104.22.168. If you are using any of these versions you are in trouble and need to upgrade your store to Prestashop 22.214.171.124.
The modules and themes are unaffected. They are expected to work properly unless you have installed the new version.
How to fix your store?
The following will provide you a number solutions to secure the complications.
- The security patch module is created for non-technical, layman public. This is applicable to fix the latest version of the 1.4, 1.5 and 1.6 branches. This module works for all the three branches, just install and activate it and it will apply the patch!
- The tech savvy who are not being able to apply the patch, can get the latest version applicable for each branch. The patch will work similarly as the module for the latest version of each of the branch (126.96.36.199, 188.8.131.52, and 184.108.40.206). You are advised to update your store before applying the patch.
- You can load the updated file archives for your branches (1.4, 1.5 and 1.6). Here, you will find the modified files.
In case you did not modify it, you are allowed to replace the old files with the new.
Well, the 1.5.x and 1.4.x branches are finally updated. In the current scenario you can still download page for previous version in Prestashop 220.127.116.11 and 18.104.22.168.
As because the version 22.214.171.124 contains the solution for the 1.6 branch, so the 126.96.36.199 version has not been released.
With effect, the modules apply the patch for every branch, which were previously designed to work for the latest versions 188.8.131.52, 184.108.40.206 and 220.127.116.11. If by chance you have an older version it might not work. Then you may have to try and apply it manually.
In case, you have heavily customized core files, do remember to take precautions before the installation of the module or merging the patch or uploading the modified files. Here, you might have to adapt the patch to a specified installation.
P.S: Few modules might not work in Windows server configuration along with limited Linux configuration. In such cases, adapting the patch according to your specified configuration is your sole decision.
In case you are still using an old version of Prestashop:
The module will work for the current versions like 1.4, 1.5 and 1.6 branches. The previous versions of these branches are supposed to be working too though you might face problems with the oldest version.
P.S. the module is not working for Prestashop version 1.0, 1.1, 1.2 nor 1.3.
Always keep the practice of upgrading versions as this will make your store more efficient. Make sure you are using at least version 1.4 of Prestashop. The reason for this is that the updates for the older versions are no longer available and if you can recollect, the 1.3 branch was last updated in 2011 and till date it remains untouched.
It was well understood that once you start working on a platform you get used to it and now that you are stuck you need to get yourself out of this.
So to summarize the facts, the following are the steps you need to take in order to secure your stores :
- Do keep your store updated (latest version & modules)
- Use a complex password, you may pass-phrase which will be unique for your store.
- Do remember to use a unique name for your back office folders.
- Always protect your back office folders with an .htaccess password.
Hope you were able to secure your store. If not, do let me know!