Viking Production Releases Free PrestaShop Security Audit Tool: A Double-Edged Sword?

Free PrestaShop Security Audit Tool Released

Viking Production has released a free penetration testing tool for PrestaShop 1.7.x and 8.x, designed to help integrators, freelancers, hosting providers, and security teams identify vulnerabilities in their PrestaShop installations. The tool, dubbed "Viking Production CVE Pentester," aims to simulate real-world attacks and generate professional PDF reports detailing identified issues, CVSS scores, and remediation steps.

Key Features

• Identifies critical vulnerabilities like SQL Injection, RCE, and XXE.
• Audits system configuration, including file permissions and backdoors.
• Maps known CVEs using a customizable JSON database.
• Generates detailed PDF reports with prioritized remediation plans.
• Integrates Lynis for a full Linux hardening audit.

Usage Example

The tool can be run from the command line:

python3 cve.py https://your-prestashop.tld

This command performs a standard audit, safe for production environments. A more comprehensive audit, including Lynis, can be run with:

python3 cve.py https://your-prestashop.tld --path /var/www/prestashop

Community Concerns and Legal Considerations

The release of the tool sparked debate within the PrestaShop community. One user, Prestashop Addict, raised concerns about the tool's explicit inclusion of exploit code, arguing that it could inadvertently aid attackers. Another user, wepresta, cautioned against over-reliance on AI-assisted coding, noting potential logic errors and the need for manual review.

Viking Production responded by emphasizing that the exploits are already publicly documented in CVE lists and that shop owners are responsible for keeping their PrestaShop installations up to date. They also acknowledged the need for manual review of the tool's findings and welcomed community feedback for improvements.

However, due to concerns regarding French legislation (Article 323-3-1 of the French Penal Code) about the distribution of security testing tools, Viking Production temporarily set the GitHub repository to private. The project is undergoing refactoring to remove potentially harmful payloads and implement a strict professional use framework with responsible disclosure protocols.

Update: The repository is now private while the author refactors the code to comply with French law.

Impact on PrestaShop Merchants

This tool, even in its temporarily unavailable state, highlights the importance of proactive security measures for PrestaShop store owners. While the tool aimed to provide a valuable resource for identifying vulnerabilities, the discussion underscores the complexities of responsible disclosure and the potential risks associated with making exploit code readily available. Merchants should prioritize keeping their PrestaShop installations updated, regularly auditing their security configurations, and seeking professional penetration testing services when necessary.