Zero Day Attacks Target Online Stores Using PrestaShopSecurity Affairs

Thera actors are exploiting a zero-day vulnerability to steal payment information from sites using the open-source e-commerce platform PrestaShop.

Threat actors target websites using open-source e-commerce platform PrestaShop by exploiting zero-day flaw, tracked as CVE-2022-36408which can allow the execution of arbitrary code and potentially steal customers’ payment information.

PrestaShop is currently used by 300,000 stores worldwide and is available in 60 different languages.

The vulnerability affects PrestaShop versions or later and versions or later running modules vulnerable to SQL injection (i.e. Wishlist module 2.0.0 to 2.1.0).

“The maintenance team has been made aware that malicious actors are exploiting a combination of known and unknown security vulnerabilities to inject malicious code into PrestaShop websites, allowing them to execute arbitrary instructions and potentially steal payment information client.” read it advisory released by PrestShop maintainers. “In investigating this attack, we have found a chain of previously unknown vulnerabilities that we are patching.”

Threat authors target online stores running outdated software or modules, or third-party modules affected by known vulnerabilities or zero-day flaws.

Below is the attack chain pieced together by experts investigating the attacks:

  1. The attacker submits a POST request to the endpoint vulnerable to SQL injection.
  2. After about a second, the attacker submits a GET request to the homepage, with no parameters. This results in the creation of a PHP file called blm.php in the root of the store directory.
  3. The attacker now submits a GET request to the new file that was created, blm.php, allowing him to execute arbitrary instructions.

Once the attackers took over the online store, they injected a fake checkout form on the front-office checkout page to steal credit card information when visitors make purchases.

Researchers provided indicators of compromise for these attacks, such as enabling MySQL Smarty cache storage.

“Be aware that not finding this pattern in your logs does not necessarily mean your store was unaffected by the attack: the complexity of the exploit means there are multiple ways to execute it, and attackers may also try to hide their tracks.” concludes the report.

Administrators must install the PrestaShop version

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, CMS)

Comments are closed.