PrestaShop, a developer of open supply e-commerce software program utilized by tons of of 1000’s of small, unbiased retailers because the foundations of their on-line presence, has warned of a critical vulnerability that, left unaddressed, would enable attackers to attain arbitrary code execution and steal buyer card information.
Tracked as CVE-2022-36408, the vulnerability first got here to gentle when PrestaShop was made conscious that cyber criminals have been exploiting “a mix of recognized and unknown safety vulnerabilities” to inject malicious code into web sites counting on the platform.
In the midst of this investigation, its group discovered a beforehand unknown vulnerability chain affecting – to one of the best of the agency’s information – retailers constructed on variations 1.6.8.10 or greater which can be weak to SQL injection assaults. Word that variations 1.7.8.2 and above aren’t weak until operating modules or customized code that itself features a SQL injection vulnerability.
“The assault requires the store to be weak to SQL injection exploits. To one of the best of our information, the most recent model of PrestaShop and its modules are free from these vulnerabilities. We consider attackers are focusing on retailers utilizing outdated software program or modules, weak third-party modules, or a yet-to-be-discovered vulnerability,” mentioned PrestaShop in an advisory printed on 22 July.
Regardless of this uncertainty, its investigations have established a recurring assault sample. First, the attacker submits a POST request to the weak endpoint. They then obtain a GET request to the homepage with out parameters, ensuing within the creation of a PHP file on the root of the store’s listing. From there, they’ll submit a GET request to that new file, permitting them to execute arbitrary code.
This completed, the attacker can then inject a pretend fee type on the sufferer’s checkout web page, enabling them to steal buyer bank card information.
“Proof displaying how the PrestaShop platform is being exploited by hackers is a stark reminder that platforms have to be up to date frequently to make sure you have the most recent safety advantages” Michael Tanaka, Miracl
Retailers utilizing the PrestaShop platform ought to instantly ensure that their web sites and all modules are up to date to the most recent model, which ought to forestall them from being uncovered to recognized or actively exploited SQL injection bugs.
The provider added that there was an opportunity attackers have been exploiting the hardly ever used MySQL Smarty cache storage function of their assault vector (which is disabled by default however will be remotely enabled), so customers can also want to bodily disable the function in PrestaShop’s code to chop off this specific methodology.
Extra data, together with indicators of compromise (IoCs), is on the market from PrestaShop.
Chris Hauk, client privateness advocate at cyber safety steering and on-line privateness specialist Pixel Privateness, mentioned PrestaShop’s steering needs to be carried out urgently.
“PrestaShop customers will wish to disable the function getting used for this exploit to interrupt this assault chain. This underscores the necessity for website directors to maintain their methods up to date to the most recent model of the working methods, databases and apps,” mentioned Hauk.
Michael Tanaka, chief industrial officer at multifactor authentication (MFA) provider Miracl, added: “Proof at the moment displaying how the PrestaShop platform is being exploited by hackers is a stark reminder that platforms have to be up to date frequently to make sure you have the most recent safety advantages.
“Not solely upkeep patches, but additionally new applied sciences akin to zero-knowledge proofs and protocols [ZKPs] that minimise the usage of private information will additional harden any platform in opposition to assault,” mentioned Tanaka.
