How to Set Prestashop File & Folder Permissions?

Prestashop has been a highly favoured platform for e-commerce firms. It has helped them expand their services and flourish in this highly competitive digital world. Being an open-source platform, it is even more desirable by startups. However, this attribute has also contributed to its exploitation. Many of these exploitations could have been checked if only web owners cared to secure their website with simple security measures like the PrestaShop file permissions.

In this article, we shall be discussing a specific security vulnerability in Prestashop platform and that is some of the exploits in the file system of your Prestashop website. By the end, of this article, you will gain handsome knowledge to secure Prestashop file permissions.

PrestaShop File Permissions
PrestaShop File Permissions

Common vulnerabilities reported in Prestashop File System

File system vulnerabilities have started popping up in Prestashop since 2018. Some of the common vulnerabilities include:

  • In Prestashop versions 1.4.0.1 through 1.6.1.18, a vulnerability was disclosed from the Attribute Wizard add-on 1.6.9. In that, the modules/attributewizardpro/file_upload.php file enabled remote attackers to execute arbitrary code by uploading a.phtml file.
  • If your Prestashop website is hosted over a Windows operating system, then in versions prior to 1.6.1.20 and 1.7.3.4, there was a vulnerability reported. This allowed remote attackers to write to arbitrary image files. This means messing up the product images or the brand logo displayed on the website.
  • In another prominent vulnerability, a security bug was disclosed in Customer Files Upload add-on in Prestashop versions 1.5 through 1.7. This vulnerability allowed remote code execution through the uploading of PHP file which could enable access data available on your website.

These vulnerabilities if found on your Prestashop website, can lead to catastrophic damage to your business and reputation. Improper Prestashop file permissions can lead to the loss of the customer’s personal & financial data. This can, in turn, have a horrific impact on your customer relations.

How to set secure Prestashop File Permissions?

Prestashop file permission should not be confused with the only security measure for your website. Yet, we can’t disagree that it carries its own importance. It can come handy in defending your website from some of the common attacks.

Prestashop file permissions

For instance, even if the hacker gets access to your website’s file system, he may not be able to tamper with your files. The recommended permission for PrestaShop files are 644, & for the directories, it is 755. Here is how you can proceed with the settings-

Setting all directories permission to 755

    1. Login to your account via FTP.
    2. Navigate to the folder where Prestashop is installed (/path/to/your/PrestaShop/install/)
    3. Right-click on the folder where your PrestaShop is installed. Click the File Permissions option in the menu.
    4. Once you click on the option. A new window will open. In the input textbox for numeric value, type the value “755”.
    5. Now enable the “Recurse into Subdirectories” option. In the list seen below, select the checkbox titled “Apply To Directories Only”.
    6. Once ready, click the OK button.
    7. The process may take time as per the number of files present on your website.

Setting all files permission to 644

    1. Navigate yourself to the folder where PrestaShop is installed. Right-click on the installed folder. Click the File Permissions option in the menu.
    2. Once you click on the optiondir, a new window will open, In the numeric value field, type in the value “644”.
    3. After that, enable the “Recurse into Subdirectories” option. In the list seen below, select the checkbox titled “Apply to Files Only”.
    4. Once all the settings are set accordingly, click on OK button. The time taken by the process depends upon the number of files that are present on your Prestashop website.

Note: A permission of 777 is considered the most vulnerable, and is not recommended.

How Does File Permissions Work?

For clarity, let us understand what we did here. As we all know, file permissions are denoted by numbers with each digit having its own significant meaning. Following are the permissions associated with the digits:

  • 4 = Read
  • 5 = Read/execute (execute required for directories)
  • 6 = Read/write
  • 7 = Read, write and execute

The sequence of the digits denote the following set of users:

  • Owner
  • Group
  • Other

So now, when we are setting the directories to 755, we are enabling only the actual owner of the directory to have full permissions over the file and other users only the access to read and execute it. This ensures prevention of tampering of the contents in the directory. Similarly, for files, we set the value as 644. This translates to, the owner having full rights to read, write & execute the file while the other users can only read. This protects the contents of the file from being changed by any other than the owner.

To Sum Up

As I said earlier, it should be kept in mind that file permissions are not the ultimate security measure. To secure your website you must follow other necessary measures as well. The most effective of which is to have a web application firewall. A firewall scans the coming traffic on your site to check all attacks in real-time, thus leveraging better securi. Other than that follow this complete PrestaShop security guide to better secure your store.

Was this post helpful?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Jinson Varghese

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling.You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close