A few days ago we discovered a Lemonstand vulnerability that currently affects all Lemonstand v1 websites. If you are still using Lemonstand v1, you should look to implement the following fixes immediately. Lemonstand v1 is unsupported since Dec 31, 2014 so these fixes will need to be applied manually.
The vulnerability allows a malicious user to inject malware into your ecommerce website to steal credit card data. We have confirmed that the malware is currently installed on many websites.
The exploit allows a malicious user to see the contents of your
config.dat file. From this they can obtain your encryption keys to log directly into the backend without a user account. They proceed to download all of your orders and customer data and inject malware into the checkout process to steal credit cards and hide that data on your server for later retrieval.
Note: All Lemonstand v1 sites are currently vulnerable and can be hacked at any time.
If any of the following questions are
true, then your website is currently hacked:
/modules/shop/classes/shop_paymenttype.phphave a reference to
We recommend you mitigate the known vulnerabilities by doing all of these steps, in order, to patch your website:
Modules & Updatestool in the backend.
security-update.diff. If you don’t have GIT or have customized Lemonstand, follow the changes in
security-update.diffand apply manually.
COOKIE_SALT is not set. Login a second time to correct this.
config/keys.phpexists and contains
COOKIE_SALTwith a long string of random characters.
The credit card processors also suggested the following:
The link below contains all of the files necessary to patch your website.
Since Lemonstand v1 is no longer maintained, we suggest migrating to a platform with regular security updates or hiring a contractor to provide regular security audits and maintenance to extend the support period. You might also consider our lemonstand security module that can detect common security exploits.
I am a freelance software engineer and consultant that has been working with Lemonstand since the beta period. Feel free to contact me if you have any questions, need help patching your website, or wish to perform a security audit.
In the coming weeks, I will be posting a follow-up on this vulnerability to discuss the technical details, timeline, extent of the breach, and the impact of the patch.
Regards, Patrick Heeney
Page Updated: 2016-07-25 12:18