PrestaShop websites are reported vulnerable to a major SQL Injection vulnerability (tracked as CVE-2022-36408) and have been exploited in the wild since July 2022.
Founded in 2007, PrestaShop is a freemium, open source e-commerce platform used by hundreds of thousands of website owners to sell products and services online.
PrestaShop 126.96.36.199 through 1.7.x (prior to 188.8.131.52) versions are vulnerable to “previously unknown vulnerability chain” related to SQL injection and MySQL Smarty cache storage injection vulnerabilities. As a result, remote attackers could execute arbitrary code.
“The maintainer team has been made aware that malicious actors are exploiting a combination of known and unknown security vulnerabilities to inject malicious code in PrestaShop websites, allowing them to execute arbitrary instructions, and potentially steal customer’s payment information,” PrestaShop wrote in a blog post.
According to PrestaShop, the attackers typically follow these steps to launch the attack against vulnerable shops:
- The attacker submits a POST request to the vulnerable website to exploit the SQL injection vulnerability.
- After approximately one second, the attacker submits a GET request to the homepage (with no parameters), which creates a PHP file called
blm.phpin the website’s root directory.
- The attacker then submits a GET request to the new file
blm.php, thus allowing the attacker to execute arbitrary instructions.
As a result, the bad actor can then fully compromise the website and inject fake payment forms via the front-office checkout page.
Matt Morrow, from security firm Securi, also discovered an infected PrestaShop website containing a PrestaShop Skimmer malware concealed in One Page Checkout Module. As a consequence, code injection was found overriding the victim website’s payment card form.
PrestaShop released new updates as of July 25 for latest version of PrestaShop 184.108.40.206 that strengthens the MySQL Smarty cache storage against code injection attacks.
Shop owners are highly encouraged to upgrade their websites to latest version as soon as possible to address CVE-2022-36408..
However, PrestaShop also warned shop owners to “be aware that upgrading your software might not be enough to secure your store if it has been hacked already.” Site owners can contact a security specialist if necessary to perform a full audit and remove any malware if detected.