v1.6-v1.7 Major Security Vulnerability On PrestaShop Websites (Published Jul 22, 2022)

M

Marc

Active member
XNullUser
Joined
Feb 27, 2021
Messages
438
Reaction score
31
Points
28
NullCash
29
Attackers have found a way to use a security vulnerability to carry out arbitrary code execution in servers running PrestaShop websites. For details, please read the entire article.

What’s happening​

The maintainer team has been made aware that malicious actors are exploiting a combination of known and unknown security vulnerabilities to inject malicious code in PrestaShop websites, allowing them to execute arbitrary instructions, and potentially steal customer’s payment information.

While investigating this attack, we found a previously unknown vulnerability chain that we are fixing. At the moment, however, we cannot be sure that it’s the only way for them to perform the attack. To the best of our understanding, this issue seems to concern shops based on versions 1.6.0.10 or greater, subject to SQL injection vulnerabilities. Versions 1.7.8.2 and greater are not vulnerable unless they are running a module or custom code which itself includes an SQL injection vulnerability. Note that versions 2.0.0~2.1.0 of the Wishlist (blockwishlist) module are vulnerable.

How the attack works​

The attack requires the shop to be vulnerable to SQL injection exploits. To the best of our knowledge, the latest version of PrestaShop and its modules are free from these vulnerabilities. We believe attackers are targeting shops using outdated software or modules, vulnerable third-party modules, or a yet-to-be-discovered vulnerability.

According to our conversations with shop owners and developers, the recurring modus operandi looks like this:

  1. The attacker submits a POST request to the endpoint vulnerable to SQL injection.
  2. After approximately one second, the attacker submits a GET request to the homepage, with no parameters. This results in a PHP file called blm.php being created at the root of the shop’s directory.
  3. The attacker now submits a GET request to the new file that was created, blm.php, allowing them to execute arbitrary instructions.
After the attackers successfully gained control of a shop, they injected a fake payment form on the front-office checkout page. In this scenario, shop customers might enter their credit card information on the fake form, and unknowingly send it to the attackers.

While this seems to be the common pattern, attackers might be using a different one, by placing a different file name, modifying other parts of the software, planting malicious code elsewhere, or even erasing their tracks once the attack has been successful.

What to do to keep your shop safe​

First of all, make sure that your shop and all your modules are updated to their latest version. This should prevent your shop from being exposed to known and actively exploited SQL injection vulnerabilities.

According to our current understanding of the exploit, attackers might be using MySQL Smarty cache storage features as part of the attack vector. This feature is rarely used and is disabled by default, but it can be enabled remotely by the attacker. Until a patch has been published, we recommend physically disabling this feature in PrestaShop’s code in order to break the attack chain.

To do so, locate the file config/smarty.config.inc.php on your PrestaShop install, and remove lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6):
Code: 
if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') {
    include _PS_CLASS_DIR_.'Smarty/SmartyCacheResourceMysql.php';
    $smarty->caching_type = 'mysql';
}


LINK TO THE ARTICLE
 
S

savvato

Member
XNullUser
Joined
Oct 22, 2021
Messages
40
Reaction score
2
Points
8
NullCash
15
For information, the blm.php file is removed after the injection.
The XXXXXX.js file is created in the site's /js directory.
It is generated from PHP injections made in several php files:
- /classes/Controller.php (Added in smartyOutputContent() function)
- /classes/Db/Db.php (added at the end of the file)
- /controllers/AdminLoginController.php (added to processLogin() function) Applies to 1.5/1.6 only
- /classes/modules/Module.php (added to the end of the file) and modification of the _generateConfigXml() function

As a result, your payment modules become invisible and are replaced by a payment page with all the information about the payment (amount, country, origin, contact details, etc.), and an order for the same amount is sent to a Chinese bank in a Chinese store.
If the client confirms 3DSecure, then the payment is confirmed.
Post automatically merged:

additional check: if the mysql smart cache is enabled, switch to the file system cache
Prestashop 1.6/1.7 are vulnerable when this feature is enabled.
 
Last edited:
You must log in or register to reply here.
Top