PrestaShop zero-day vulnerability under attack

• PrestaShop stated that websites using outdated versions and modules are the primary targets.
• The zero-day vulnerability affects version 1.6.0.10 or newer and is addressed in version 1.7.8.7.
• The attackers execute arbitrary instructions to inject a fake payment form to steal credit card information.

PrestaShop, an open-source eCommerce solution popular especially in Europe and Latin America and preferred by approximately 300,000 online stores globally, warned its users about a vulnerability, which is currently under attack. The company stated that attackers are exploiting a vulnerability to inject malicious code to steal sensitive information from checkout pages. Websites using outdated versions or modules are the primary targets of the attackers.

Stealing payment information

The PrestaShop team stated that they have discovered a zero-day vulnerability, which is addressed in version 1.7.8.7. However, they also stated that they are not sure if it is the only way to perform the attack. It is an SQL injection vulnerability. The vulnerability, tracked as CVE-2022-36408, affects versions 1.6.0.10 or newer. Additionally, the 1.7.8.2 and newer versions are at risk if they are running a module vulnerable to SQL injection attacks.

The team contacted the shop owners to learn more about the attacks:

1. The attacker submits a POST request to the endpoint vulnerable to SQL injection.
2. After approximately one second, the attacker submits a GET request to the homepage, with no parameters. This results in a PHP file called blm.php being created at the root of the shop’s directory.
3. The attacker now submits a GET request to the new file that was created, blm.php, allowing them to execute arbitrary instructions.

The exploitation of the vulnerability allows attackers to submit a crafted request, enabling them to execute arbitrary instructions, such as injecting a fake payment form to steal credit card information. The team urged users to update the software and all of the modules to the latest versions. The team also said that attackers may be using MySQL Smarty cache storage features, which are disabled by default but can be enabled by the attacker remotely. To physically disable the feature, users need to locate the config/smarty.config.inc.php on the PrestaShop install and remove lines 43-46 (for 1.7.x.x) or 40-43 (for 1.6.x.x):

if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') {

    include _PS_CLASS_DIR_.'Smarty/SmartyCacheResourceMysql.php';

    $smarty->caching_type = 'mysql';

}

The company also said,

« PrestaShop 1.7.8.7 has been released to strengthen the MySQL Smarty cache storage against code injection attacks. We would like to take the opportunity to stress out once more the importance of keeping your system updated to prevent such attacks. This means regularly updating both your PrestaShop software and its modules, as well as your server environment. »