PrestaShop, a developer of open source e-commerce software used by hundreds of thousands of small, independent retailers as the foundations of their online presence, has warned of a serious vulnerability that, left unaddressed, would allow attackers to achieve arbitrary code execution and steal customer card data.
Tracked as CVE-2022-36408, the vulnerability first came to light when PrestaShop was made aware that cyber criminals were exploiting “a combination of known and unknown security vulnerabilities” to inject malicious code into websites relying on the platform.
In the course of this investigation, its team found a previously unknown vulnerability chain affecting – to the best of the firm’s knowledge – shops built on versions 1.6.8.10 or higher that are vulnerable to SQL injection attacks. Note that versions 1.7.8.2 and above are not vulnerable unless running modules or custom code that itself includes a SQL injection vulnerability.
“The attack requires the shop to be vulnerable to SQL injection exploits. To the best of our knowledge, the latest version of PrestaShop and its modules are free from these vulnerabilities. We believe attackers are targeting shops using outdated software or modules, vulnerable third-party modules, or a yet-to-be-discovered vulnerability,” said PrestaShop in an advisory published on 22 July.
Despite this uncertainty, its investigations have established a recurring attack pattern. First, the attacker submits a POST request to the vulnerable endpoint. They then receive a GET request to the homepage without parameters, resulting in the creation of a PHP file at the root of the shop’s directory. From there, they can submit a GET request to that new file, allowing them to execute arbitrary code.
This accomplished, the attacker can then inject a fake payment form on the victim’s checkout page, enabling them to steal customer credit card data.
“Evidence showing how the PrestaShop platform is being exploited by hackers is a stark reminder that platforms need to be updated regularly to ensure you have the latest security benefits”
Michael Tanaka, Miracl
Retailers using the PrestaShop platform should immediately make sure their websites and all modules are updated to the latest version, which should prevent them from being exposed to known or actively exploited SQL injection bugs.
The supplier added that there was a chance attackers were exploiting the rarely used MySQL Smarty cache storage feature in their attack vector (which is disabled by default but can be remotely enabled), so users may also wish to physically disable the feature in PrestaShop’s code to cut off this particular method.
Chris Hauk, consumer privacy advocate at cyber security guidance and online privacy specialist Pixel Privacy, said PrestaShop’s guidance should be implemented urgently.
“PrestaShop users will want to disable the feature being used for this exploit to break this attack chain. This underscores the need for site administrators to keep their systems updated to the latest version of the operating systems, databases and apps,” said Hauk.
Michael Tanaka, chief commercial officer at multifactor authentication (MFA) supplier Miracl, added: “Evidence today showing how the PrestaShop platform is being exploited by hackers is a stark reminder that platforms need to be updated regularly to ensure you have the latest security benefits.
“Not only maintenance patches, but also new technologies such as zero-knowledge proofs and protocols [ZKPs] that minimise the use of personal data will further harden any platform against attack,” said Tanaka.
Read more about security for online retailers
Ian Lowe, director of industry solutions for EMEA at Okta, discusses the role that identity will play in a digital-first retail future.
Evolving approaches to IT at cosmetics retailer Lush meant the organisation’s previous approach to authentication was no longer up to scratch. Find out how it overcame this hurdle.
