The ongoing work on security for PrestaShop software continues. We have identified and fixed new minor security issues and since we don’t expect PrestaShop 18.104.22.168 final to be released before a few weeks, it has been decided to deliver a new maintenance release for 1.7.6.X branch.
Similarly to 22.214.171.124, this maintenance release fixes not only regressions found on versions 126.96.36.199 to 188.8.131.52, but also a few security issues from 1.5, 1.6 and 1.7 versions. This is again a result of the huge work on security going on in 2020 to make PrestaShop software safer. PrestaShop will continue focusing more and more on security to ensure that no security breaches, even minor ones such as permission issues, are left out in the core.
As this patch fixes several security issues, we highly recommend to upgrade your shop as soon as possible. Of course, as always, don’t forget to backup before.
Reminder: the 1-Click Upgrade module’s latest version is v4.10.1, don’t forget to upgrade it.
Below are listed the 6 regressions that were found and fixed in this version:
- A BC break was mistakenly introduced in 184.108.40.206 on some selectors in the front-office #18509
- It was not possible to use Stocks page without the rights for Translation page #19713
- Bad button color in Modules pages modal window #9699
- No success message in Customer page after editing a voucher #18842
- It was not possible to update currencies using the Webservice #18865
- There was an error at the end of the upgrade if it was run manually #18723
7 security fixes have been included in this patch version:
- External control of configuration setting in the dashboard (security advisory)
- Improper access controls in Carrier page, Module Manager and Module Positions (security advisory)
- Improper authentication (security advisory)
- Reflected XSS in product page (security advisory)
- Stored XSS in AdminQuickAccesses (security advisory)
- Information disclosure in release archive (security advisory)
- Information exposure in upload directory (security advisory)
More information about why it is important to update:
- External Control of System or Configuration Setting
- Improper Access Control
- Improper Authentication - Generic (CWE-287)
- Cross-site Scripting (XSS)
- Open Redirect (CWE-601)
- Information Exposure Through Directory Listing (CWE-548)
- Information Disclosure (CWE-200)
Read the full changelog here.
In order to correctly handle user session expiration, two new SQL tables have been added to PrestaShop MySQL schema:
ps_employee_session. These SQL tables are used for security purposes.
Breaking or risky changes
Dashboard modules can no longer use
AdminDashboardController::ajaxProcessSaveDashConfig() to save values. This is not possible anymore in PrestaShop 220.127.116.11 in order to enforce the shop’s security.
A bug fix included in 18.104.22.168 required changing a CSS selector in the Front Office’s product page and rendering it more specific. However, this new selector did not work with some third party themes which were based on Classic.
In 22.214.171.124, a new generic selector has been added:
.product-container. If you are a theme developer, make sure to add this class to the appropriate container on your product page in order to allow your product page to be refreshed on changes.
Core Team contributors to this patch version: Franck Lefèvre, Jonathan Lelievre, Pierre Rambaud, Mathieu Ferment, Matthieu Rolland, Thomas Baccelli, Valentin Szczupak. Thank you!
Since version 126.96.36.199 is a “patch” update to version 188.8.131.52, upgrading from any 1.7.6 version will be easy: features will work better, and modules & themes which worked fine on 1.7.6.x will work just as well with 184.108.40.206. Upgrades from a standard 1.7.x version should work just as well.