Administrators of e-commerce sites using the open-source PrestaShop platform have been warned to update the application immediately to close serious vulnerabilities.
PrestaShop says it first learned that hackers are exploiting a combination of known and unknown security vulnerabilities to inject malicious code into PrestaShop websites, allowing them to execute arbitrary instructions, and potentially steal customer’s payment information. While investigating this attack, the company found a previously unknown vulnerability chain that may also be involved.
“To the best of our understanding, this issue seems to concern shops based on versions 126.96.36.199 or greater, subject to SQL injection vulnerabilities,” the warning says. “Versions 188.8.131.52 and greater are not vulnerable unless they are running a module or custom code which itself includes an SQL injection vulnerability. Note that versions 2.0.0~2.1.0 of the Wishlist (blockwishlist) module are vulnerable.”
The latest version of the application, released Monday, deals with a vulnerability in the MySQL Smarty cache storage feature.
PrestaShop has its largest number of users in Europe and Latin America, but there are online stores in Canada and the U.S.
The warning says attacks usually run like this:
- The attacker submits a POST request to the endpoint vulnerable to SQL injection.
- After approximately one second, the attacker submits a GET request to the homepage, with no parameters. This results in a PHP file called
blm.phpbeing created at the root of the shop’s directory.
- The attacker now submits a GET request to the new file that was created,
blm.php, allowing them to execute arbitrary instructions.
After an attacker successfully gained control of a shop, they injected a fake payment form on the front-office checkout page. In this scenario, shop customers might enter their credit card information on the fake form, and unknowingly send it to the attackers.
Attackers might also place a different file name in the application, modify other parts of the software, plant malicious code, or even erase their tracks once the attack has been successful, the warning adds.
As a first defence make sure that your shop and all modules are updated to their latest version, PrestaShop advises.
Attackers might be using MySQL Smarty cache storage features as part of the attack vector, it also notes. This feature is rarely used and is disabled by default, but it can be enabled remotely by the attacker. PrestaShop 184.108.40.206 has been released to strengthen the MySQL Smarty cache storage against code injection attacks.
Details on how to do that are in the PretaShop advisory. It also explains how administrators can tell if their site has been compromised.