Prestashop: Problem with customer account creation

Created on 23 Apr 2019  路  12Comments  路  Source: PrestaShop/PrestaShop

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Screenshots
If applicable, add screenshots or screenrecords to help explain your problem.

Additionnal information
PrestaShop version: N/A
PHP version: N/A

1.6.1.22 1.7.5.1 Bug Critical Customer FO Fixed
Source
picture arg73

Most helpful comment

Hi there, we are going to release a patch for 1.7.5.x and 1.6.1.x in order to mitigate the attack vector.

picture eternoendless on 24 Apr 2019
👍5

All 12 comments

Hi @arg73,

Could you please provide us with more info? We need more details to understand how we can reproduce your issue:

  • host
  • server setup and configuration
  • PrestaShop version (source)
  • debug mode report
  • PHP error logs
  • apache error log
  • javascript console log
  • screenshots

Don't you know how to get this information? Please read the following article:
http://build.prestashop.com/howtos/misc/how-to-create-bug-report/

Thanks!

khouloudbelguith picture khouloudbelguith on 23 Apr 2019

hello
i have an e-boutic of engraving on glasses ''www.gravure-sur-verres.fr'' with prestashop version 1.6.1.22
since 1 month, eatch day in my back office i have about 20 new creations of customer's accounts
(see the attached picture) which provide from spam, virus or other ...

argprobleme
argproblemebis

thanks a lot
thierry

arg73 picture arg73 on 23 Apr 2019

@arg73, we need to retrieve the PHP error log and the debug mode report in order to find out what's wrong.
Thanks!

khouloudbelguith picture khouloudbelguith on 23 Apr 2019

@khouloudbelguith

Log and debug are not needed :

https://www.prestashop.com/forums/topic/981159-securite-spam-customer-account-solution-13-17/

https://www.prestashop.com/forums/topic/981158-securite-spam-compte-client-solution-13-17/

The form allows url in fisrtname and lastname.

okom3pom picture okom3pom on 23 Apr 2019
👍2

You can also add 1.7 label

okom3pom picture okom3pom on 23 Apr 2019
👍1

The form allows url in fisrtname and lastname.

Thank you ! Our understanding of the issue is that the goal of the spam attack is to make the shop send a registration email to a real user, and put there links using firstname or lastname URL. Then the user clicks on the link, be it a spam link or a phishing link.

Did you observe another behavior behind this spam attack ?

matks picture matks on 23 Apr 2019

An additional impact of this behavior: if injected mail addresses are bad and the shop sends registration mail to these addresses, this can damage the mailing reputation of the shop and make it look like a spammer.

This is probably a side-effect of this attack but still annoying

matks picture matks on 23 Apr 2019
👍1

i don't observe another behaviour behind this spam attack
i going to install your solution

thanks for your advices
thierry

arg73 picture arg73 on 23 Apr 2019

You can also add all versions, since 0.97 ;)

Eolia picture Eolia on 23 Apr 2019

PrestaShop versions prior to 1.5 are not maintained anymore, so only 1.6 and 1.7 versions are needed

matks picture matks on 24 Apr 2019

i have make modification
there is a probleme now
invalid name when i create an account
Customer.txt
Validate.txt
see the 2 files

arg73 picture arg73 on 24 Apr 2019

Hi there, we are going to release a patch for 1.7.5.x and 1.6.1.x in order to mitigate the attack vector.

eternoendless picture eternoendless on 24 Apr 2019
👍5
Was this page helpful?
0 / 5 - 0 ratings

Related issues

PrestaShark picture PrestaShark  路  3Comments
wikao2 picture wikao2  路  3Comments
centoasa picture centoasa  路  3Comments
zuk3975 picture zuk3975  路  3Comments
khouloudbelguith picture khouloudbelguith  路  3Comments