A flaw in PrestaShop’s pkfacebook module has been exploited by hackers, leading to card skimming on affected e-commerce sites and unauthorized access to payment data. As an open-source e-commerce platform, PrestaShop supports roughly 300,000 online stores globally. The pkfacebook module, developed by Promokit, facilitates Facebook login, commenting, and Messenger integration for site users.
SQL Injection Vulnerability
Identified as CVE-2024-36680, this issue is an SQL injection vulnerability within the facebookConnect.php Ajax script of the pkfacebook module. It permits attackers to perform SQL injections via HTTP requests. Researchers at TouchWeb flagged the vulnerability on March 30, 2024. Despite Promokit’s claim of having fixed the flaw “a long time ago,” they have not provided proof of this resolution, reports BleepingComputer.
Proof-of-Concept and Active Exploitation
Friends-of-Presta, a collaborative community initiative that supports the development and growth of the PrestaShop platform, have demonstrated a proof-of-concept exploit for CVE-2024-36680 and indicated that the vulnerability is being actively exploited.
It is being used to deploy web skimmers that steal credit card details. Web skimmers, also known as formjacking or Magecart attacks, are a type of cyberattack where malicious code is injected into e-commerce websites to steal credit card details and other sensitive information entered by users during the checkout process.
Despite repeated issues, Promokit has not provided the latest version of the module to Friends-of-Presta to confirm a fix. Therefore, it is recommended that every version is treated as potentially insecure.
Recommended Mitigations
Friends-of-Presta suggest several mitigation strategies, including upgrading to the latest version of pkfacebook, which now disables multiquery executions but does not fully prevent SQL injection via UNION clauses.
SQL injection via UNION clauses is a specific form of SQL injection attack that exploits the UNION SQL operator. The UNION operator is used to combine the results of two or more SELECT queries into a single result set. When an application improperly sanitizes user input, an attacker can manipulate this feature to inject malicious SQL code.
They also recommend employing pSQL to mitigate Stored XSS vulnerabilities owing to its strip_tags security feature, to sanitize input and prevent cross-site scripting (XSS) attacks.
Additionally, changing the default “ps_” prefix to a longer custom string could improve security, although it might not be entirely foolproof. Activating OWASP 942 rules on the Web Application Firewall (WAF) is also advised. OWASP 942 rules are part of the OWASP ModSecurity Core Rule Set and are specifically focused on detecting and mitigating SQL injection attacks. The 942 rule set includes patterns and behaviors commonly associated with SQL injection attempts, such as unusual SQL syntax, use of SQL keywords, and attempts to manipulate SQL queries.
According to the National Vulnerability Database (NVD), all versions up to and including 1.0.1 are vulnerable. The latest version listed by Promokit is 1.0.0, leaving the patch status ambiguous. This type of SQL injection flaw is frequently targeted by hackers to gain admin privileges and access sensitive information on webshop platforms.
Last Updated on November 7, 2024 3:49 pm CET
