Customer fake account registration SPAM - free solution without re-captcha
On April 2019, there's been a flood of SPAM registration, automated robots created lot of fake accounts abusing for a long time existing vulnerability in Prestashop account registration form.
The issue was due to fact, that the account registration form allowed for URL addresses in customer firstname and lastname, and spammer abused that and created lots of registrations, with lastname replaced by spam links from domains www.lmy.de, www.xurl.es and www.cutt.us.
Since than, Prestashop software released updated version, that fixes this in PS 1.7.6, however, updating Prestashop core to latest version is not an option for everyone, and for older version, manual action is still necessary.
There's no need for Recaptcha modules. Here are quick copy-paste solutions to resolve registration issue. Newly added code is highlighted.
SPAM customers fix for Prestashop up to version 1.7.4 (including 1.6.x branch)
Edit file: classes/Validate.php
public static function isName($name)
{
if (preg_match(Tools::cleanNonUnicodeSupport('/www|http/ui'),$name)) { return false; }
return preg_match(Tools::cleanNonUnicodeSupport('/^[^0-9!<>,;?=+()@#"°{}_$%:¤|]*$/u'), stripslashes($name));
}
SPAM customers fix for Prestashop version 1.7.5
Edit file: classes/Validate.php
public static function isCustomerName($name)
{
if (preg_match(Tools::cleanNonUnicodeSupport('/www|http/ui'),$name)) { return false; }
$validityPattern = Tools::cleanNonUnicodeSupport(
'/^(?:[^0-9!<>,;?=+()/@#"°*`{}_^$%:¤[]|.。]|[.。](?:s|$))*$/u'
);
return preg_match($validityPattern, $name);
}
SPAM customers fix for Prestashop version 1.7.6+
For more details, let's look how Prestashop solved the issue in 1.7.6 version.
Let's head to Prestashop's Github and look at this commit. Here we can see, that most notable change was pattern match modification in isCustomerName function, as follows:
$validityPattern = Tools::cleanNonUnicodeSupport(
'/^(?:[^0-9!<>,;?=+()/@#"°*`{}_^$%:¤|.。]|[.。](?:s|$))*$/u'
);
Does this affect our Checkout module?
Nope, this issue does not affect our One page checkout module, as it has own registration mechanism that is more resilient to such SPAM attacks. So there's no need to update anything on module side, but still, updating Prestashop core is necessary, to fix authentication form vulnerability.