PrestaShop urges administrators to update application to close vulnerabilities

Administrators of e-commerce sites using the open-source PrestaShop platform have been warned to update the application immediately to close serious vulnerabilities.

PrestaShop says it first learned that hackers are exploiting a combination of known and unknown security vulnerabilities to inject malicious code into PrestaShop websites, allowing them to execute arbitrary instructions, and potentially steal customer’s payment information. While investigating this attack, the company found a previously unknown vulnerability chain that may also be involved.

“To the best of our understanding, this issue seems to concern shops based on versions 1.6.0.10 or greater, subject to SQL injection vulnerabilities,” the warning says. “Versions 1.7.8.2 and greater are not vulnerable unless they are running a module or custom code which itself includes an SQL injection vulnerability. Note that versions 2.0.0~2.1.0 of the Wishlist (blockwishlist) module are vulnerable.”

The latest version of the application, released Monday, deals with a vulnerability in the MySQL Smarty cache storage feature.

PrestaShop has its largest number of users in Europe and Latin America, but there are online stores in Canada and the U.S.

The warning says attacks usually run like this:

  1. The attacker submits a POST request to the endpoint vulnerable to SQL injection.
  2. After approximately one second, the attacker submits a GET request to the homepage, with no parameters. This results in a PHP file called blm.php being created at the root of the shop’s directory.
  3. The attacker now submits a GET request to the new file that was created, blm.php, allowing them to execute arbitrary instructions.

After an attacker successfully gained control of a shop, they injected a fake payment form on the front-office checkout page. In this scenario, shop customers might enter their credit card information on the fake form, and unknowingly send it to the attackers.

Attackers might also place a different file name in the application, modify other parts of the software, plant malicious code, or even erase their tracks once the attack has been successful, the warning adds.

As a first defence make sure that your shop and all modules are updated to their latest version, PrestaShop advises.

Attackers might be using MySQL Smarty cache storage features as part of the attack vector, it also notes. This feature is rarely used and is disabled by default, but it can be enabled remotely by the attacker. PrestaShop 1.7.8.7 has been released to strengthen the MySQL Smarty cache storage against code injection attacks.

Details on how to do that are in the PretaShop advisory. It also explains how administrators can tell if their site has been compromised.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now