PrestaShop’s Customer Photo Gallery Module Vulnerable to SQL Injection Attacks

Recently, Astra Security researcher Prince Mendiratta discovered a critical SQLi vulnerability in PrestaShop’s Customer Photo Gallery, version 2.9.3 and below. If not mitigated, this could lead to complete compromise of the database, manipulation of critical application data, interference with application logic, or complete takeover of the server & website.

This Blog Includes show

Customer Photo Gallery is a known PrestaShop module by MyPresta. It allows your shop’s customers to upload pictures & videos to your shop.

Customer Photo Gallery module by Mypresta; Image courtesy: Mypresta

The module developers have released a patch for the vulnerability in their latest version. All module users are recommended to update to the latest version.

What are SQL Injections?

A variety of web applications employ database systems for the provision of backend functionality. A widely used language used to query, operate, and administer database systems is Structured Query Language (SQL). Owing to its rampant use in web applications globally, SQL-powered databases are easy and frequent targets for cyber-criminals, the severity of which depends solely on the intricacies of each system being targeted.

An SQL injection attack is one of the most frequently occurring web hacks prevalent today, wherein an attacker uses web page inputs (such as GET, POST, Cookies, etc.) to insert malicious code in SQL statements. It usually occurs when a web page asks for user input like username/userid. The attacker uses this opportunity to insert a SQL statement that ends up running on your database without your knowledge.

The absence of input sanitization and escaping rules are the primary reasons behind SQLi vulnerability. SQLi is by far one of the most critical vulnerabilities which can compromise your entire web app & server.

Impact

An attacker can supply crafted input to break out of the data context in which their input
appears and interfere with the structure of the surrounding query. A wide range of damaging
attacks can often be delivered via SQL injection, including:

Complete compromise of data stored in the Database
Reading or modifying critical application data
Interfering with application logic
Escalating privileges within the database
Taking control of the database server

Steps to Mitigation

To safeguard your PrestaShop store from SQLi attacks, do the following:

Update the PrestaShop Customer Photo Gallery module to the latest version.
Sanitize and validate all user data before using them in the code
Use stored procedure
Use Prepared Statements (Parameterized Queries)
Minimize the privileges assigned to every database account in your environment
Do not assign DBA or admin type access rights to your application accounts.
Have multiple users for different tasks
Allow only secured SQL statements
Conduct routine security audits.

Note: The PoC (Proof-of-Concept) and other details of the vulnerability have been deliberately skipped in the article to provide PrestaShop users with the necessary time to secure themselves from the vulnerability.

If you have any questions regarding the vulnerability or need help securing your PrestaShop store, contact us with the chat widget down below!