Prestashop Module Send to a Friend allows Spammers to abuse the feature for sending emails to a friend
How I have discovered the security flaws in Prestashop Module - Send to a Friend One customer reported that the in-box for isPrestashop store email was containing hundreds of bounced emails, with spam, so I requested him to forward one of that emails to me. Just by open it, was obvious that the email was originated from is store, by the native Send to a Friend module. This module is installed, by default, on the original Prestashop theme and in many other third part themes.
In this Tutorial when referring to your Prestashop Online Store, the domain name used will be prestashop-tutoraials.dev, therefore when applying any How To instruction you will need to change it with your own domain. The same goes for the Prestashop Admin access folder, that you need to change from secret-admin-folder to the one used in your E-commerce Store. Just to be clear the full path used here to reach the Prestashop Back Office is prestashop-tutorials.
Responsible Disclosure Recently I made a Responsible Disclosure for 2 security vulnerabilities in Prestashop Module Send to a Friend and provided also the fixes for them in a Github Pull Request. This was done in coordination with Prestashop Core Team to ensure the issue was not public until Prestashop owners of Online Stores have the time to update the module and also to guarantee that the code for the fixes was according to their rules.
This Tutorial is a detailed How To aimed for Prestashop beginners, therefore I will not expected, from you, any knowledge at all about Prestasho Admin Interface. Step by Step to Update a Module in Prestashop Version 1.6.* During this Prestashop Tutorial the Url used to reach the Prestashop Back Office will be prestashop-tutorials.dev/v1616/secret-admin-folder and your one should be your-domain.com/your-secret-admin-folder or if your store is not in the root folder then it should be like your-domain.
So you are working in your Prestashop store and suddenly you get a blank screen and now matter how many times you retry the screen is always blank… wtf? By this time you are already thinking that you are in a dead end and rushing to Google and/or Prestashop community for help. Why Prestashop Debug must be always Enabled during Development? When in production we want PHP to hide all the errors it finds.