Security
Headlines
HeadlinesLatestCVEs

Headline

PrestaShop warns of vulnerability: Update your stores now!

We take a look at a security advisory from PrestaShop which warns of compromised stores and redirected payment data. The post PrestaShop warns of vulnerability: Update your stores now! appeared first on Malwarebytes Labs.

Malwarebytes
#sql#vulnerability#web#php

A vulnerability affecting open source e-commerce platform PrestaShop could spell trouble for servers running PrestaShop websites. The 15-year-old organisation’s platform is currently used by around 300,000 shops worldwide. The exploit is very dependent on specific versions in use, so one PrestaShop customer may see different results to another.

What’s happening?

The exploit has its own CVE, known as CVE-2022-36408, and (from PrestaShop’s security advisory) relates to a “previously unknown vulnerability chain that we are fixing“. PrestaShop goes on to say that:

…this issue seems to concern shops based on versions 1.6.0.10 or greater, subject to SQL injection vulnerabilities. Versions 1.7.8.2 and greater are not vulnerable unless they are running a module or custom code which itself includes an SQL injection vulnerability. Note that versions 2.0.0~2.1.0 of the Wishlist (blockwishlist) module are vulnerable.

If the shop is vulnerable to SQL injection exploits, then based on available information so far it’s almost certainly running old, outdated modules. There’s a possibility that vulnerable third-party modules may also be responsible. Assuming everything is in place for the attack to happen, it plays out like this:

  1. The attacker submits a POST request to the endpoint vulnerable to SQL injection.
  2. After approximately one second, the attacker submits a GET request to the homepage, with no parameters. This results in a PHP file called blm.php being created at the root of the shop’s directory.
  3. The attacker now submits a GET request to the new file that was created, blm.php, allowing them to execute arbitrary instructions.

Once control is gained of the shop, a fake payment form is injected into the checkout page. At this point, shop customers submitting payment data will be sending their details to the attacker and not the genuine store owner. PrestaShop notes that this may not be the only tactic at play—it’s possible different file names, software modification, or even malicious code may be worked into the mix. The current level of uncertainty as to exact method used, or if third-party aspects are involved, is to the attacker’s advantage.

How to defend against this vulnerability

PrestaShop advises to ensure both shop and modules are running their latest versions. Users should also disable a rarely used feature called MySQL Smarty. This is disabled by default, but can be activated remotely by an attacker. The advise here is to physically disable it like so:

Locate the file config/smarty.config.inc.php on your PrestaShop install, and remove lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6).

At the time of writing, PrestaShop suggests shop owners “contact a specialist” to perform a full audit of the site and ensure nothing has been modified or had malicious code added. Finally, shop owners are advised to download the latest release, PrestaShop 1.7.8.7 which addresses the vulnerability.

A note of caution: there’s uncertainty over whether this addresses all versions of the attack. Additionally, if your store has already been hacked then this update may not be enough to fix the lurking problem. The best remedy here is to get your update in early and try to beat the attackers to the punch.

Related news

Hackers Exploit PrestaShop Zero-Day to Steal Payment Data from Online Stores

Malicious actors are exploiting a previously unknown security flaw in the open source PrestaShop e-commerce platform to inject malicious skimmer code designed to swipe sensitive information. "Attackers have found a way to use a security vulnerability to carry out arbitrary code execution in servers running PrestaShop websites," the company noted in an advisory published on July 22. PrestaShop is

GHSA-qv6h-pcf2-2w3g: Duplicate Advisory GHSA-hrgx-p36p-89q4

## Duplicate Advisory This advisory is a duplicate of GHSA-hrgx-p36p-89q4. This link is maintained to preserve external references. ## Original Description PrestaShop 1.6.0.10 through 1.7.x before 1.7.8.2 allows remote attackers to execute arbitrary code, aka a "previously unknown vulnerability chain" related to SQL injection, as exploited in the wild in July 2022.

CVE-2022-36408: Major Security Vulnerability on PrestaShop Websites

PrestaShop 1.6.0.10 through 1.7.x before 1.7.8.2 allows remote attackers to execute arbitrary code, aka a "previously unknown vulnerability chain" related to SQL injection, as exploited in the wild in July 2022.