PrestaShop, a developer of open source e-commerce software used by hundreds of thousands of small independent retailers as the basis for their online presence, has warned of a serious vulnerability that, if left unaddressed, could allow attackers to execute arbitrary code. feed and steal. customer card details.
Tracked as CVE-2022-36408, the vulnerability was first exposed when PrestaShop was informed that cybercriminals exploited “a combination of known and unknown vulnerabilities” to inject malicious code into websites that depended on the platform .
During this investigation, the team found a previously unknown vulnerability chain that – to the company’s knowledge – affects stores built on version 220.127.116.11 or later and is vulnerable to SQL injection attacks. Note that versions 18.104.22.168 and above are not vulnerable unless executing modules or custom code that itself contains a SQL injection vulnerability.
“The attack requires the store to be vulnerable to SQL injection exploits. To the best of our knowledge, the latest version of PrestaShop and its modules are free from these vulnerabilities. We believe that attackers are targeting stores using outdated software or modules, vulnerable third-party modules, or an undiscovered vulnerability,” PrestaShop said in an advisory published July 22.
Despite this uncertainty, his studies have identified a recurring seizure pattern. First, the attacker makes a POST request to the vulnerable endpoint. They then receive a GET request on the home page with no parameters, resulting in the creation of a PHP file in the root of the store folder. From there, they can make a GET request to that new file, which will allow them to run arbitrary code.
If successful, the attacker can then insert a fake payment form on the victim’s payment page, allowing them to steal customer credit card information.
Michael Tanaka, Miracle
Retailers using the PrestaShop platform should immediately ensure that their websites and all modules are updated to the latest version, which should prevent them from being exposed to known or actively exploited SQL injection bugs.
The vendor added that there was a chance that attackers were exploiting the rarely used MySQL Smarty cache storage feature in their attack vector (which is disabled by default but can be enabled remotely), so users can physically disable the feature in PrestaShop code as well. to cut off from this particular method.
More information, including Indicators of Compromise (IoCs), is available from PrestaShop.
Chris Hauk, consumer privacy advocate at cybersecurity guidelines and online privacy specialist Pixel Privacy, said PrestaShop’s guidelines need to be implemented urgently.
“PrestaShop users will want to disable the feature used for this exploit to break this attack chain. This underscores the need for site administrators to keep their systems up-to-date with the latest operating systems, databases and apps,” said Hauk.
Michael Tanaka, chief commercial officer at multifactor authentication (MFA) provider Miracl, added: “The evidence today showing how the PrestaShop platform is being abused by hackers strongly reminds us that platforms need to be regularly updated to ensure that you have the latest security benefits.
“Not just maintenance patches, but also new technologies such as zero-knowledge proofs and protocols [ZKPs] minimizing the use of personal data will further harden any platform against attacks,” Tanaka said.