PrestaShop Urges Administrators To Update Application To Close Vulnerabilities

Share post:

Administrators of e-commerce sites using the open-source PrestaShop platform have been warned to update the application immediately to close serious vulnerabilities.

PrestaShop says it first learned that hackers are exploiting a combination of known and unknown security vulnerabilities to inject malicious code into PrestaShop websites, allowing them to execute arbitrary instructions, and potentially steal customer’s payment information. While investigating this attack, the company found a previously unknown vulnerability chain that may also be involved.

“To the best of our understanding, this issue seems to concern shops based on versions 1.6.0.10 or greater, subject to Structured Query Language (SQL) injection vulnerabilities,” the warning says. “Versions 1.7.8.2 and greater are not vulnerable unless they are running a module or custom code which itself includes an SQL injection vulnerability. Note that versions 2.0.0~2.1.0 of the Wishlist (blockwishlist) module are vulnerable.”

The latest version of the application, released Monday, deals with a vulnerability in the MySQL Smarty cache storage feature.

PrestaShop has its largest number of users in Europe and Latin America, but there are online stores in Canada and the U.S.

The warning says attacks usually run like this:

  1. The attacker submits a POST request to the endpoint vulnerable to SQL injection.
  2. After approximately one second, the attacker submits a GET request to the homepage, with no parameters. This results in a PHP file called blm.php being created at the root of the shop’s directory.
  3. The attacker now submits a GET request to the new file that was created, blm.php, allowing them to execute arbitrary instructions.

After an attacker successfully gained control of a shop, they injected a fake payment form on the front-office checkout page. In this scenario, shop customers might enter their credit card information on the fake form, and unknowingly send it to the attackers.

Attackers might also place a different file name in the application, modify other parts of the software, plant malicious code, or even erase their tracks once the attack has been successful, the warning adds.

As a first defence make sure that your shop and all modules are updated to their latest version, PrestaShop advises.

Attackers might be using MySQL Smarty cache storage features as part of the attack vector, it also notes. This feature is rarely used and is disabled by default, but it can be enabled remotely by the attacker. PrestaShop 1.7.8.7 has been released to strengthen the MySQL Smarty cache storage against code injection attacks.

Details on how to do that are in the PrestaShop advisory. It also explains how administrators can tell if their site has been compromised.

The post PrestaShop urges administrators to update application to close vulnerabilities first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

Cyber Security Today, June 21, 2024 – US to ban Kaspersky for businesses, consumers

U.S. to ban the sale of Kaspersky products to consumers and businesses. Welcome to Cyber Security Today. It's Friday...

Biden administration to ban US sales of Kaspersky software over ties to Russia

The Biden administration is set to announce a ban on the sale of Kaspersky Lab's antivirus software in...

Security bug may allow anyone to spoof Microsoft employee emails

A security researcher claims to have discovered a bug that enables anyone to impersonate Microsoft corporate email accounts,...

Cyber Security Today, June 19, 2024 – How an attacker hid on an IT network for three years

How an attacker hid on an IT network for three years Welcome to Cyber Security Today. It's Wednesday June...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways