The open source CMS PrestaShop is challenged by a 0-day vulnerability exploited by hackers, who steal customer banking data.
PrestaShop, the open source publisher that allows everyone to create their own online store, sees computer attackers exploiting a 0-day (zero day) flaw, that is to say a security vulnerability detected and exploited even before the developers cannot notice it, in order to steal the payment information entered by the customers who pass through the CMS.
PrestaShop says more about potentially vulnerable versions
Hackers took advantage of the vulnerability to inject malicious skimmer code. A skimmer is, in cyber, a code injected into different commercial platforms, such as PrestaShop, to steal information, payment data.
” Attackers found a way to use a security vulnerability to perform arbitrary code execution on servers running PrestaShop websites explains the company’s team to the 300,000 merchants in a blog post.
PrestaShop is not certain, for its part, that the chain of vulnerabilities discovered is the only way for hackers to carry out their attack. ” To the best of our knowledge, this issue appears to affect stores based on versions 1.6.0.10 or higher, which are prone to SQL injection vulnerabilities “, adds the company. This therefore confirms that versions 1.7.8.2 and above would not be vulnerable, let’s stay in the conditional all the same.
The store is facing an SQL injection vulnerability (Structured Query Language), a widespread attack that consists of a request sent to a database for the attacker to inject his own code in order to bypass the security, and to access the protected sensitive data. Typically, sites that do not implement sufficient input sanitization measures are more susceptible to this type of attack.
A fake payment form, to retrieve the bank details of customers, who see nothing but fire
In the specific case of PrestaShop, the attackers appear to have submitted a POST request (whose parameters are not visible to users) to the endpoint vulnerable to SQL injection. The POST method is used, for example, to fill out a form or upload a photo. It submits data or files to the server.
A short second later, the hacker submits a GET request (used for website settings, such as sorting, user search, filters), this time visible to the user in the address field. The hacker submits this request to the home page, without parameters. ” This results in the creation of a PHP file named blm.php, at the root of the shop directory “.
The attacker then submits another GET request to the file that was just created, which then allows him to execute his arbitrary instructions. And once hackers have taken control of a PrestaShop store, all they have to do is inject a fake payment form on the dedicated page. Customers, on the other hand, see nothing but fire and then enter their bank details on the fake form. The hackers thus recover the data.
PrestaShop encourages all its customers to check that the stores and modules have been updated to the latest version (i.e. version 1.7.8.2 and higher).
Source : PrestaShop-Blog
4