Vulnerability issue in Prestashop versions 1.6 and 1.7 - MySQL Smarty cache storage

A newly found exploit could allow remote attackers to take control of your shop.

Attackers have found a way to use a security vulnerability to carry out arbitrary code execution in servers running PrestaShop websites.  To the best of our understanding, this issue seems to concern shops based on versions or greater, subject to SQL injection vulnerabilities. Versions and greater are not vulnerable unless they are running a module or custom code which itself includes an SQL injection vulnerability. 

Note that versions 2.0.0~2.1.0 of the Wishlist (blockwishlist) module are vulnerable.

How the attack works

The attack requires the shop to be vulnerable to SQL injection exploits. To the best of our knowledge, the latest version of PrestaShop and its modules are free from these vulnerabilities. We believe attackers are targeting shops using outdated software or modules, vulnerable third-party modules, or a yet-to-be-discovered vulnerability.

According to our conversations with shop owners and developers, the recurring modus operandi looks like this:

  1. The attacker submits a POST request to the endpoint vulnerable to SQL injection.
  2. After approximately one second, the attacker submits a GET request to the homepage, with no parameters. This results in a PHP file called blm.php being created at the root of the shop’s directory.
  3. The attacker now submits a GET request to the new file that was created, blm.php, allowing them to execute arbitrary instructions.

After the attackers successfully gained control of a shop, they injected a fake payment form on the front-office checkout page. In this scenario, shop customers might enter their credit card information on the fake form, and unknowingly send it to the attackers.

While this seems to be the common pattern, attackers might be using a different one, by placing a different file name, modifying other parts of the software, planting malicious code elsewhere, or even erasing their tracks once the attack has been successful.

Vulnerability mitigation recommendations

First of all, make sure that your shop and all your modules are updated to their latest version. This should prevent your shop from being exposed to known and actively exploited SQL injection vulnerabilities.

According to our current understanding of the exploit, attackers might be using MySQL Smarty cache storage features as part of the attack vector. This feature is rarely used and is disabled by default, but it can be enabled remotely by the attacker. Until a patch has been published, we recommend physically disabling this feature in PrestaShop’s code in order to break the attack chain.

To do so, locate the file config/ on your PrestaShop install, and remove lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6):

How to tell if you have been affected

Consider looking at your server’s access log for the attack pattern explained above. This is an example shared by a community member:

(Note: the vulnerable module’s path has been modified for security reasons)

Be aware that not finding this pattern on your logs doesn’t necessarily mean that your shop has not been affected by the attack: the complexity of the exploit means that there are several ways of performing it, and attackers might also try and hide their tracks.

Consider contacting a specialist to perform a full audit of your site and make sure that no file has been modified nor any malicious code has been added.

Additional information

PrestaShop has been released to strengthen the MySQL Smarty cache storage against code injection attacks. Special thanks to Dominik Shaim who first reached out to the security team and helped investigate the vulnerability.

We would like to take the opportunity to stress out once more the importance of keeping your system updated to prevent such attacks. This means regularly updating both your PrestaShop software and its modules, as well as your server environment.

(Note: the original article has been updated on Monday, July 25, 2022, to add information about the release of PrestaShop

Прийом онлайн-платежів в інтернет-магазині

Сучасний інтернет-магазин складно уявити без можливості оплати товарів або послуг онлайн за допомогою банківської картки будь-якого банку. Для автоматизації оплати замовлень в інтернет-магазині необхідно підключити інтернет-еквайринг.

Кулінарні курси з канібалізму

Warning! This material is the result of an AI experiment. The task is to generate a text using artificial intelligence on a commercial topic (service), but in fact such a service does not exist and cannot exist. Treat it like a joke.

3 Ways to Check if a Port is Open on a Remote Linux System

How to check if a port is open on a remote Linux system using various commands - Netcat, Nmap ,Telnet.