Download PrestaShop v.1.3.1 tại đây

hoặc thay đổi một số files sau

-Chú ý: sao lưu file trước khi sửa đổi.

File: /config/smarty.config.inc.php
Where: At the end of the file, before "?>"
Add: $smarty->register_modifier('secureReferrer', array('Tools', 'secureReferrer'));


File: /modules/paypalapi/error.tpl
Where: line 13
Replace: {$smarty.server.HTTP_REFERER}
By: {$smarty.server.HTTP_REFERER|secureReferrer}


File: /themes/prestashop/errors.tpl :
Where: line 9
Replace: {$smarty.server.HTTP_REFERER|escape:'htmlall':'UTF-8'}
By: {$smarty.server.HTTP_REFERER|escape:'htmlall':'UTF-8'|secureReferrer}


File: /themes/prestashop/shopping-cart.tpl :
Where: line 255
Replace: {$smarty.server.HTTP_REFERER|escape:'htmlall':'UTF-8'}
By: {$smarty.server.HTTP_REFERER|escape:'htmlall':'UTF-8'|secureReferrer}


File: /admin/login.php
Where: line 67
Replace:
$cookie->passwd = $employee->passwd;
$cookie->write();
By:
$cookie->passwd = $employee->passwd;
$cookie->remote_addr = ip2long($_SERVER['REMOTE_ADDR']);
$cookie->write();


File: /admin/confirm.php
Where: Line 22
Replace: $referer = rawurldecode(Tools::getValue('referer'));
By: $referer = Tools::htmlentitiesUTF8(rawurldecode(Tools::getValue('referer')));


File: /classes/Tools.php
Where: Line 17
After "class Tools
{"
Add these two functions:

/**
* Get the server variable SERVER_NAME
*
* @param string $referrer URL referrer
*/
static function getServerName()
{
if (isset($_SERVER['HTTP_X_FORWARDED_SERVER']) AND $_SERVER['HTTP_X_FORWARDED_SERVER'])
return $_SERVER['HTTP_X_FORWARDED_SERVER'];
return $_SERVER['SERVER_NAME'];
}

/**
* Secure an URL referrer
*
* @param string $referrer URL referrer
*/
static public function secureReferrer($referrer)
{
if (preg_match('/^http[s]?:\/\/'.self::getServerName().'\/.*$/Ui', $referrer))
return $referrer;
return __PS_BASE_URI__;
}


File: /classes/Cookie.php
Where: Line 164
Replace the function isLoggedBack() by this function:
function isLoggedBack()
{
/* Employee is valid only if it can be load and if cookie password is the same as database one */
if ($this->id_employee AND Validate::isUnsignedId($this->id_employee) AND
Employee::checkPassword(intval($this->id_employee), $this->passwd) AND (!isset($this->_content['remote_addr']) OR
$this->_content['remote_addr'] == ip2long($_SERVER['REMOTE_ADDR'])))
return true;
return false;
}