Serious security issue
Versions up to 2.7.6 of the popular Webforms Pro 2 module by Vladimir Popov are unsafe. Hackers can use it to upload malicious code and essentially take control of the shop. We see active abuse in the wild. Hackers have already automated the attack.
Hypernode has implemented an emergency fix on July 29th but customers are still recommended to upgrade to the latest version and check for suspicious files, admin accounts etcetera. Read how to recover a hacked Magento shop if you suspect you have been affected.
How to fix the vulnerability
Customers are recommended to update the module to 2.7.7. asap. If you are unable to update, you should at least delete the “upload” folder to deflect current attacks.
Statement from the author
The following was sent to all Webforms customers:
WebForms Pro Security Update
If you have WebForms version installed older than 2.7.6 please take action!
It has been recently discovered that WebForms extension can cause vulnerability on certain system configurations with Magento 1 platform installed.
If your server is running Apache 2.4, Nginx or PHP 7 you are strongly advised to download WebForms 2.7.7 update from your account area My Downloadable Products section.
The update contains new file upload scan to block possible script files from being uploaded to the server.
If you have a customized version of WebForms or performing the update is problematic, please remove the following directory:
It is a safe operation as it doesn’t affect any major functionality. This folder is present in current version of WebForms but will be removed in future updates.
If you have forms with file upload fields please limit allowed file extensions.