Cybercriminals are focused on e-commerce web sites which can be the usage of the PrestaShop platform, to thieve shoppers’ fee data. They’re abusing a prior to now unknown vulnerability chain to execute malicious code.
The PrestaShop zero-day
- The assaults purpose at PrestaShop variations 188.8.131.52 or later in the event that they run modules uncovered to SQL injection. Customers of variations 184.108.40.206 and above aren’t in peril, alternatively, they will get impacted in the event that they run any modules (corresponding to Wishlist 2.0.0 to two.1.0), which can be uncovered to SQL Injection assaults.
- The abused vulnerability is being tracked as CVE-2022-36408. A success exploitation results in arbitrary code execution in servers working PrestaShop web sites.
- To accomplish the assault, the attacker sends a POST request to an uncovered endpoint with a parameterless GET request to the homepage and creates a blm[.]php report on the root listing.
- The blm[.]php is a internet shell that permits attackers to run far flung instructions at the centered server. This internet shell is used to inject a pretend fee shape at the store’s checkout web page.
- Moreover, the attackers would possibly plant malicious code anyplace at the web site.
- After the assault, the far flung attackers erase their lines that forestalls the website online proprietor from figuring out that they have been breached.
- If the attackers fail to wipe their tracks, website online admins may to find entries within the internet server’s get right of entry to logs for compromise indicators.
- The opposite signal is the activation of the MySQL Smarty cache garage function.
Be sure that the PrestaShop web site and all modules are patched with the most recent replace or safety patch. This prevents virtual retail outlets from being uncovered to identified and actively exploited SQL injection flaws. Additional, professionals counsel disabling the MySQL Smarty cache garage options till a patch is issued.