Categories
Magento

WEBFORMS PRO 2 MODULE BY VLADIMIR POPOV VULNERABILITY

Major security issue

All sites using up to version 2.7.6 of the popular Webforms Pro module for magento 1.x should upgrade to the latest version (2.7.7) immediately. Or if this is not possible please delete the following folder

/js/webforms/upload

The following update was sent to all customers

WebForms Pro Security Update
If you have WebForms version installed older than 2.7.6 please take action!
It has been recently discovered that WebForms extension can cause vulnerability on certain system configurations with Magento 1 platform installed.
If your server is running Apache 2.4, Nginx or PHP 7 you are strongly advised to download WebForms 2.7.7 update from your account area My Downloadable Products section.
The update contains new file upload scan to block possible script files from being uploaded to the server.
If you have a customized version of WebForms or performing the update is problematic, please remove the following directory:
/js/webforms/upload
It is a safe operation as it doesn’t affect any major functionality. This folder is present in current version of WebForms but will be removed in future updates.
If you have forms with file upload fields please limit allowed file extensions.