Security breach in Visual Composer module + SOLUTION

Visual Composer: Page Builder for Prestashop is one of the most used modules for creating dynamic content in Prestashop stores. In fact, in addition to being able to be purchased individually, it is also included in countless themes for the platform. Beyond the proven usefulness and good opinions that this module has, it is not sold directly in Prestashop Addons. Why is such a famous module not on the official module platform for Prestashop? Well, we have found an important SECURITY BUG, and perhaps elements like this could be one of the causes.

First let's clarify, so that there is no confusion with its title, that it is the module whose folder is called "jscomposer". This module has its own library for managing images (uploading, renaming, deleting, creating folders, etc). This library is similar to the one used by Prestashop to perform the same function, with one fundamental difference: the jscomposer library DOES NOT HAVE ANY SECURITY VALIDATION. In other words, anyone from anywhere on the internet, without even being authenticated in the front or back office of the store, can access the content of the images and manipulate them.

Still don't believe it? How can you know if this security hole is affecting your store? It is easy to check. If when entering this path of your store you can see the image manager, then your store may be in trouble:

https://myshopurl.com/modules/jscomposer/views/dialog.php

And worst of all, the module doesn't even have to be active in the store. The fact that the file exists is enough.

Why all the fuss over a few image files? Well, beyond the fact that any hacker can delete your images uploaded to the module, there is a much worse problem. There are bots that are scanning the web for known vulnerabilities in websites. And in the case of Prestashop we have already known of cases where some “intelligent” hacker has a bot that uploads a PHP script to the store by removing the .php extension first. For the image manager this is like uploading a new folder, then rename the file and give it the .php extension correctly. And basically, if you manage to upload an external PHP file to a store you can do whatever you want with the store, from deleting all the files and BDs to hijacking them by encrypting them and then asking for a ransom to restore them.

But beyond the scare ... How do I solve this big problem?

As we mentioned before, Prestashop uses similar libraries for the management and loading of images in its backoffice, with a fundamental difference: Prestashop did the corresponding security validations before displaying the content of the image manager. The solution is to introduce those same validations to the jscomposer image manager.

How do I do it?

  1. Find the file /modules/jscomposer/views/config/config.php and edit it.

  2. At the beginning of the file I should find a source code similar to this:

  3. I must insert the following code between lines 6 and 7:
    if (!isset(Context::getContext()->employee) || !Context::getContext()->employee->isLoggedBack()) {
        die('forbiden');
    }
  4. The source code should finally look like this:

And that would be all. End of my worries.

What does this code that we have entered basically do? Verify that there is an authenticated employee before displaying the image manager. An employee is only authenticated in the backoffice, therefore, we are forcing the image manager to only load from the backoffice and only if there is an authenticated employee at that time. For the rest of the intruders and hackers who try to enter our store this way, they will only find a "forbiden" message.

Hopefully your store does not have this problem, but if so, the fastest solution is already in your hands. It only remains to apply and continue to sell safely;)

Share this post

Comments