A vulnerability affecting open source e-commerce platform PrestaShop could spell trouble for servers running PrestaShop websites. The 15-year-old organisation's platform is currently used by around 300,000 shops worldwide. The exploit is very dependent on specific versions in use, so one PrestaShop customer may see different results to another.

What's happening?

The exploit has its own CVE, known as CVE-2022-36408, and (from PrestaShop's security advisory) relates to a "previously unknown vulnerability chain that we are fixing". PrestaShop goes on to say that:

...this issue seems to concern shops based on versions 1.6.0.10 or greater, subject to SQL injection vulnerabilities. Versions 1.7.8.2 and greater are not vulnerable unless they are running a module or custom code which itself includes an SQL injection vulnerability. Note that versions 2.0.0~2.1.0 of the Wishlist (blockwishlist) module are vulnerable.

If the shop is vulnerable to SQL injection exploits, then based on available information so far it's almost certainly running old, outdated modules. There's a possibility that vulnerable third-party modules may also be responsible. Assuming everything is in place for the attack to happen, it plays out like this:

  1. The attacker submits a POST request to the endpoint vulnerable to SQL injection.
  2. After approximately one second, the attacker submits a GET request to the homepage, with no parameters. This results in a PHP file called blm.php being created at the root of the shop’s directory.
  3. The attacker now submits a GET request to the new file that was created, blm.php, allowing them to execute arbitrary instructions.

Once control is gained of the shop, a fake payment form is injected into the checkout page. At this point, shop customers submitting payment data will be sending their details to the attacker and not the genuine store owner. PrestaShop notes that this may not be the only tactic at play—it's possible different file names, software modification, or even malicious code may be worked into the mix. The current level of uncertainty as to exact method used, or if third-party aspects are involved, is to the attacker's advantage.

How to defend against this vulnerability

PrestaShop advises to ensure both shop and modules are running their latest versions. Users should also disable a rarely used feature called MySQL Smarty. This is disabled by default, but can be activated remotely by an attacker. The advise here is to physically disable it like so:

Locate the file config/smarty.config.inc.php on your PrestaShop install, and remove lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6).

At the time of writing, PrestaShop suggests shop owners "contact a specialist" to perform a full audit of the site and ensure nothing has been modified or had malicious code added. Finally, shop owners are advised to download the latest release, PrestaShop 1.7.8.7 which addresses the vulnerability.

A note of caution: there's uncertainty over whether this addresses all versions of the attack. Additionally, if your store has already been hacked then this update may not be enough to fix the lurking problem. The best remedy here is to get your update in early and try to beat the attackers to the punch.