Plugin Exploit

PrestaShop’s Customer Photo Gallery Module Vulnerable to SQL Injection Attacks, Versions < 2.9.3 Affected

Updated on: September 8, 2021

PrestaShop’s Customer Photo Gallery Module Vulnerable to SQL Injection Attacks, Versions < 2.9.3 Affected

Recently, Astra Security researcher Prince Mendiratta discovered a critical SQLi vulnerability in PrestaShop’s Customer Photo Gallery, version 2.9.3 and below. If not mitigated, this could lead to complete compromise of the database, manipulation of critical application data, interference with application logic, or complete takeover of the server & website.

Customer Photo Gallery is a known PrestaShop module by MyPresta. It allows your shop’s customers to upload pictures & videos to your shop.

Customer Photo Gallery module by Mypresta; Image courtesy: Mypresta

The module developers have released a patch for the vulnerability in their latest version. All module users are recommended to update to the latest version.

What are SQL Injections?

A variety of web applications employ database systems for the provision of backend functionality. A widely used language used to query, operate, and administer database systems is Structured Query Language (SQL). Owing to its rampant use in web applications globally, SQL-powered databases are easy and frequent targets for cyber-criminals, the severity of which depends solely on the intricacies of each system being targeted.

An SQL injection attack is one of the most frequently occurring web hacks prevalent today, wherein an attacker uses web page inputs (such as GET, POST, Cookies, etc.) to insert malicious code in SQL statements. It usually occurs when a web page asks for user input like username/userid. The attacker uses this opportunity to insert a SQL statement that ends up running on your database without your knowledge.

The absence of input sanitization and escaping rules are the primary reasons behind SQLi vulnerability. SQLi is by far one of the most critical vulnerabilities which can compromise your entire web app & server.

Impact

An attacker can supply crafted input to break out of the data context in which their input
appears and interfere with the structure of the surrounding query. A wide range of damaging
attacks can often be delivered via SQL injection, including:

  • Complete compromise of data stored in the Database
  • Reading or modifying critical application data
  • Interfering with application logic
  • Escalating privileges within the database
  • Taking control of the database server

Steps to Mitigation

To safeguard your PrestaShop store from SQLi attacks, do the following:

  • Update the PrestaShop Customer Photo Gallery module to the latest version.
  • Sanitize and validate all user data before using them in the code
  • Use stored procedure
  • Use Prepared Statements (Parameterized Queries)
  • Minimize the privileges assigned to every database account in your environment
  • Do not assign DBA or admin type access rights to your application accounts.
    Have multiple users for different tasks
  • Allow only secured SQL statements
  • Conduct routine security audits.

Note: The PoC (Proof-of-Concept) and other details of the vulnerability have been deliberately skipped in the article to provide PrestaShop users with the necessary time to secure themselves from the vulnerability.

If you have any questions regarding the vulnerability or need help securing your PrestaShop store, contact us with the chat widget down below!

Was this post helpful?

Aakanchha Keshri

Aakanchha is a technical writer and a cybersecurity enthusiast. She is an avid reader, researcher, and an active contributor to our blog and the cybersecurity genre in general. To date, she has written over 200 blogs for more than 60 domains on topics ranging from technical to promotional. When she is not writing or researching she revels in a game or two of CS: GO.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany