General account creation attack in progress
If you haven't experienced it yet, you should know that since the end of last week, an "attack" has been carried out on PrestaShop installations in the form of creating fictitious and therefore polluting accounts.
Don't ask me why some people have fun creating this kind of useless attack, but apart from annoying you it doesn't have too much risk, it seems to be a script that searches for PrestaShop installations in the world and has fun creating customer accounts.
The Solution
As often, when PrestaShop encounters a problem and there is an emergency to intervene, the community responds and especially Eolia and Doekia.
Mise en oeuvre
Two techniques are available to you to implement this correction if your store is affected by this attack.
Dans le code
Modify the /classes/Validate.php file by adding this code
public static function isCustomerName($name) { if (preg_match(Tools::cleanNonUnicodeSupport('/www|http/ui'), $name)) { return false; } return preg_match(Tools::cleanNonUnicodeSupport('/^[^0-9!\[\]<>,;?=+()@#"°{}_$%:\/\\\*\^]*$/u'), $name); }
Then in the file /classes/Customer.php replace
'lastname' => array('type' => self::TYPE_STRING, 'validate' => 'isName', 'required' => true, 'size' => 32), 'firstname' => array('type' => self::TYPE_STRING, 'validate' => 'isName', 'required' => true, 'size' => 32),
by
'lastname' => array('type' => self::TYPE_STRING, 'validate' => 'isCustomerName', 'required' => true, 'size' => 32), 'firstname' => array('type' => self::TYPE_STRING, 'validate' => 'isCustomerName', 'required' => true, 'size' => 32),
By Override
An override is an overload of the original class by a piece of code modifying the operation of the base class. This avoids having to rewrite the corrections made to your version of PrestaShop if you update it and above all it allows someone from outside to know these modifications very quickly.
Eolia proposes the two files Validate.php and Customer.php to save in the override directory of your PrestaShop installation.
Conclusion
Whatever your solution, you may not notice any improvement in the behavior of your store, you will just have to delete the file /cache/classe_index.php
If you can't implement this solution or if you are afraid to implement it on your PrestaShop store, I can take care of it, you just have to order 1 ticket and prepare an FTP access to your site that I will ask you after the order.
Update 05/03/2019:
PrestaShop proposes to integrate this patch in the new version 1.6.1.24 available today for download as well as version 1.7.5.2 also available.
Comments