PrestaShop Sites Under Attack via Facebook Module Vulnerability (CVE-2024-36680)

A critical vulnerability in a popular PrestaShop module, “Facebook” (pkfacebook) by Promokit.eu, has been discovered and is being actively exploited by cybercriminals to deploy web skimmers and steal credit card data. The vulnerability, identified as CVE-2024-36680 with a CVSS score of 9.8, allows unauthorized users to inject malicious SQL code into the website’s database, potentially leading to a complete takeover of the e-commerce platform.

What is the Vulnerability?

The vulnerability resides in the facebookConnect.php script within the Facebook module. Attackers can exploit this flaw by sending specially crafted HTTP requests, enabling them to execute arbitrary SQL commands. This can give them access to sensitive data, including customer information, payment details, and administrative credentials.

Who is Affected?

All versions of the “Facebook” module developed by Promokit.eu are believed to be affected by this vulnerability. The module’s author has confirmed the issue but has not provided information on which specific versions are impacted, making it crucial for all users to take immediate action.

How Attackers are Exploiting the Vulnerability

Threat actors are actively using this vulnerability to deploy web skimmers, malicious scripts designed to steal credit card information during checkout. This poses a significant risk to both e-commerce stores and their customers, potentially leading to financial fraud and identity theft.

Proof of Concept

A proof-of-concept (PoC) demonstrating the exploitability of the CVE-2024-36680 vulnerability involves a simple curl command:

curl -v "https://preprod.X/modules/pkfacebook/ajax/facebookConnect.php?id=1";select(0x73656C65637420736C656570283432293B)INTO@a;prepare`b`from@a;execute`b`;--&email=test@test.fr

This command showcases how an attacker can forge a SQL injection to manipulate the database.

What Can You Do?

1. Upgrade Immediately: The most effective way to mitigate this risk is to upgrade to the latest version of the pkfacebook module. However, it is important to note that this alone may not fully protect against all SQL injection attacks.
2. Disable Multiquery Executions: Upgrading to the latest version of PrestaShop will disable multiquery executions, reducing the attack surface but not eliminating it entirely.
3. Change Database Prefix: Changing the default database prefix to a longer, arbitrary one can provide an additional layer of security, but it is not foolproof.
4. Activate WAF Rules: Activating OWASP 942’s rules on your Web Application Firewall (WAF) can help protect against SQL injection attacks. However, it is important to configure bypasses for legitimate traffic to avoid disrupting your website’s functionality.
5. Monitor for Suspicious Activity: Regularly review your website logs and monitor for any unusual activity that could indicate a compromise.

Important Considerations

It is crucial to note that while these mitigation steps can help reduce the risk, they do not guarantee complete protection. The PrestaShop platform itself includes a function called pSQL, which helps prevent certain types of attacks. However, it is essential to ensure that all security functions are properly implemented and used consistently throughout your project to minimize the risk of vulnerabilities.

If you are unsure how to apply these security measures, it is highly recommended to seek assistance from a qualified cybersecurity professional.