PrestaShop Urges Administrators To Update Application To Close Vulnerabilities

Share post:

Administrators of e-commerce sites using the open-source PrestaShop platform have been warned to update the application immediately to close serious vulnerabilities.

PrestaShop says it first learned that hackers are exploiting a combination of known and unknown security vulnerabilities to inject malicious code into PrestaShop websites, allowing them to execute arbitrary instructions, and potentially steal customer’s payment information. While investigating this attack, the company found a previously unknown vulnerability chain that may also be involved.

“To the best of our understanding, this issue seems to concern shops based on versions 1.6.0.10 or greater, subject to Structured Query Language (SQL) injection vulnerabilities,” the warning says. “Versions 1.7.8.2 and greater are not vulnerable unless they are running a module or custom code which itself includes an SQL injection vulnerability. Note that versions 2.0.0~2.1.0 of the Wishlist (blockwishlist) module are vulnerable.”

The latest version of the application, released Monday, deals with a vulnerability in the MySQL Smarty cache storage feature.

PrestaShop has its largest number of users in Europe and Latin America, but there are online stores in Canada and the U.S.

The warning says attacks usually run like this:

  1. The attacker submits a POST request to the endpoint vulnerable to SQL injection.
  2. After approximately one second, the attacker submits a GET request to the homepage, with no parameters. This results in a PHP file called blm.php being created at the root of the shop’s directory.
  3. The attacker now submits a GET request to the new file that was created, blm.php, allowing them to execute arbitrary instructions.

After an attacker successfully gained control of a shop, they injected a fake payment form on the front-office checkout page. In this scenario, shop customers might enter their credit card information on the fake form, and unknowingly send it to the attackers.

Attackers might also place a different file name in the application, modify other parts of the software, plant malicious code, or even erase their tracks once the attack has been successful, the warning adds.

As a first defence make sure that your shop and all modules are updated to their latest version, PrestaShop advises.

Attackers might be using MySQL Smarty cache storage features as part of the attack vector, it also notes. This feature is rarely used and is disabled by default, but it can be enabled remotely by the attacker. PrestaShop 1.7.8.7 has been released to strengthen the MySQL Smarty cache storage against code injection attacks.

Details on how to do that are in the PrestaShop advisory. It also explains how administrators can tell if their site has been compromised.

The post PrestaShop urges administrators to update application to close vulnerabilities first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

Russian State-Backed Cyber Attack Exploits Zero-Day Vulnerabilities in Windows and Firefox

Headline: A sophisticated cyberattack leveraging two chained zero-day vulnerabilities in Mozilla Firefox and Microsoft Windows has been confirmed by...

Starbucks Forced to Pay Baristas Manually After Ransomware Attack

A ransomware attack on Blue Yonder, a third-party scheduling software provider, has disrupted Starbucks’ ability to manage employee...

Google Launches Free Cybersecurity Certificate for Entry-Level Jobs

Google has introduced a new Cybersecurity Professional Certificate, aimed at preparing students for entry-level roles in just six...

Critical Vulnerability Leaves Millions Of Sites Vulnerable To Takeover

A severe authentication bypass vulnerability has been discovered in the WordPress plugin "Really Simple Security" (formerly *Really Simple...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways