Lemonstand v1 Vulnerability

A few days ago we discovered a Lemonstand vulnerability that currently affects all Lemonstand v1 websites. If you are still using Lemonstand v1, you should look to implement the following fixes immediately. Lemonstand v1 is unsupported since Dec 31, 2014 so these fixes will need to be applied manually.

The vulnerability allows a malicious user to inject malware into your ecommerce website to steal credit card data. We have confirmed that the malware is currently installed on many websites.

How is Lemonstand v1 affected?

The exploit allows a malicious user to see the contents of your config.php and config.dat file. From this they can obtain your encryption keys to log directly into the backend without a user account. They proceed to download all of your orders and customer data and inject malware into the checkout process to steal credit cards and hide that data on your server for later retrieval.

What steps have been taken to mitigate this?

  • Reached out to Lemonstand to inform them of this exploit.
  • Reverse engineering the exploit to create a patch since Lemonstand v1 is no longer maintained.
  • Patched existing clients and contacted a dozen higher profile websites to alert them of this issue.
  • Created this blog post (and follow-up post) to offer insight into the vulnerability and distribute the patch.

How do I know if my site is hacked?

Note: All Lemonstand v1 sites are currently vulnerable and can be hacked at any time.

If any of the following questions are true, then your website is currently hacked:

  • Is the filesize of /modules/session/resources/images/lemonstand_header.png more than 18 KB?
  • Does /modules/shop/classes/shop_paymenttype.php have a reference to lemonstand_header.png?

How do I patch this vulnerability?

We recommend you mitigate the known vulnerabilities by doing all of these steps, in order, to patch your website:

  1. Take a backup of your database.
  2. Take a backup of the leaked data by downloading: /modules/session/resources/images/lemonstand_header.png.
  3. Change the Lemonstand config tool password.
  4. Change the mysql database password and update it in the Lemonstand config tool.
  5. Restore the original lemonstand_header.png to /modules/session/resources/images/lemonstand_header.png.
  6. Restore the original shop_paymenttype.php to /modules/shop/classes/shop_paymenttype.php.
  7. Make sure your Lemonstand website is up to date using the Modules & Updates tool in the backend.
  8. Apply the patch security-update.diff. If you don’t have GIT or have customized Lemonstand, follow the changes in security-update.diff and apply manually.
  9. Login to the Lemonstand backend to deploy the security update. You may receive a message that the COOKIE_SALT is not set. Login a second time to correct this.
  10. Verify the patch was applied by making sure config/keys.php exists and contains COOKIE_SALT with a long string of random characters.
  11. If you encounter any issues, check out the troubleshooting guide.

The credit card processors also suggested the following:

  1. Contact your credit card processor (acquirer) to notify them of your data breach. If you don’t know this information you can reach out to your payment network directly (Visa, Mastercard, Discover, American Express, etc).
  2. Conduct a full security evaluation of your system. As with any breach, the malicious user may have a foothold in other systems. Companies typically hire an incident response contractor to make sure your system is “clean”.

The link below contains all of the files necessary to patch your website.

Download Patch

Discuss on Github

What can I do to prevent this?

Since Lemonstand v1 is no longer maintained, we suggest migrating to a platform with regular security updates or hiring a contractor to provide regular security audits and maintenance to extend the support period. You might also consider our lemonstand security module that can detect common security exploits.

I need help!

I am a freelance software engineer and consultant that has been working with Lemonstand since the beta period. Feel free to contact me if you have any questions, need help patching your website, or wish to perform a security audit.

Further reading

In the coming weeks, I will be posting a follow-up on this vulnerability to discuss the technical details, timeline, extent of the breach, and the impact of the patch.

Stay tuned on medium and twitter.

Regards, Patrick Heeney

Page Updated: 2016-07-25 12:18