Prestashop Security

SQL Injection (SQLi) in PrestaShop: Cases, Consequences, & Cure

Published on: May 28, 2020

SQL Injection (SQLi) in PrestaShop: Cases, Consequences, & Cure

Cases of SQLi in PrestaShop and other web applications are rampant in the eCommerce industry. They occur due to unsanitized input. When the database executes the input’s query, the run leads to the disclosure of sensitive data. Hackers can go ahead and do anything they wish with the data.

Some security experts researched the prevalence of this threat between November 2017 and March 2019. It revealed that SQLi now stands at 65.1% (two-thirds) of all web application attacks. Just two years before, the attacks represented 44% of Web application attacks. Since e-commerce websites across the globe store more sensitive data, it is time that we understood SQLi injection in PrestaShop, its effects, and ways to prevent it before it’s too late.

Today, we are talking about preventing SQL injection attacks on PrestaShop stores, in particular. Be with me as I touch base with you on the subject.

What is SQLi in PrestaShop?

SQLi in PrestaShop stores includes executing malicious queries to the database to fish valuable store and user information. By a successful execution of an SQLi on a PrestaShop store, a hacker can view, retrieve, and manipulate sensitive data that should only be accessed with legitimate authentication, by the user or admin.

What is SQL injection; Source: https://www.dnsstuff.com/

Mostly, hackers change or delete the data, leading to persistent changes to your store’s behavior and content. However, there have also been cases of hackers escalating this threat to attack other back-end infrastructure such as the underlying server or carrying out a DDoS attack.

An example of a malicious SQL query looks something like this:

example.com/?___from_store=en' union select 0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526,0x5e2526 -
An example of a PrestaShop SQLi attack; Source: PrestaShop Forum

Cases of SQLi in PrestaShop

In 2014, security researchers reported SQLi in PrestaShop 1.6.0 and some other versions. They located the issue within the parameter id_manufacturer.

http://example.com/ajax/getSimilarManufacturer.php?id_manufacturer=3[SQL-injection]

The unsanitized input following the id_manufacturer in the above line of code allows the hackers to view the database. Therefore, PrestaShop security becomes compromised. They can use tools like Sqlninja and Sqlmap to exploit the database automatically.

Recently, researchers discovered another SQLi in PrestaShop versions 1.5.5.0 to 1.7.2.5. They dubbed it as CVE-2018-8824. The issue comes from the module called Responsive Mega Menu (Horizontal + Vertical + Dropdown) Pro.

GET: http://site/modules/bamegamenu/ajax_phpcode.php?code=p(Db::getInstance()-
>ExecuteS("show tables"));

The above code used the ajax query to fetch data from the vulnerable parameter. It displayed the tables that were in the database. The attacker could replace the statement, “show tables” with another statement to perform various database operations. They could run queries to show sensitive tables or fetch login credentials or other operations. In a nutshell, this malicious query opened up the PrestaShop dashboard to the hacker.

Consequences of SQLi in PrestaShop and Extensions

The e-commerce industry is full of victims that have suffered from SQL injection. Once the attackers gain access to your database, they can do anything they wish with your data. Some of the adverse effects of SQL injection attacks include:

  1. Skipping login authentication– Your website will not require the hacker to key in their authentication information before accessing it.
  2. Theft– They can steal sensitive customer information such as credit card information, login details, and other personal data.
  3. Phishing– They can compromise your website’s integrity by altering or inserting malicious content into the database. They can also delete or read source code and sensitive data in your database.
  4. Redirects– The hackers may insert redirect links or pages on your website. Therefore, incoming traffic may be redirected away from your website to the attackers’ website, where they can get conned.
  5. Spamming– Attackers may also use your website to monetize their fraudulent products or services. If your application interacts with your clients on a one-on-one basis, customers will lose trust on you due to the spams.
  6. Botnets– The bad players can also perform DDoS attacks on your website, leading to a total shutdown. Consequently, your business experience losses in revenue.
  7. Ransomware– SQLi in your PrestaShop website can lead to hackers kidnapping it. They can encrypt the files and will only decrypt if you fulfill certain conditions to them.

While these are a few common practices of attackers, you can also fall prey for other effects such as:

  1. The attackers may audit or remove data from your website.
  2. The hosting company may disable your website.
  3. It may slow down your website and display error messages.
  4. Too many ads and pop-ups on your site.
  5. Customers may lose trust in you and flee.
  6. The search engine may blacklist your website due to insecurity incidences.

And much more!

Steps to Block SQLi in Your PrestaShop Website

Having seen how SQL injections can lead to a myriad of attacks to your eCommerce store, it is time to secure your website. The following are some of the leading methods through which your website can remain secure from this and other security breaches:

1. Use a Website Firewall

A firewall keeps at bay unauthorized access to your site. You can implement it either in a software or hardware form or as a combination of both. We suggest an end-point firewall like the Astra Firewall for this purpose. This way you need not divert your traffic to another server rather it gets checked on your own server before it is allowed access to your website. Moreover, the Astra firewall automatically blocks all attempts of SQL injections on your PrestaShop store 24*7 without fail. Not only that, but our firewall also blocks hundreds of other attacks such as XSS, CSRF, Bad bots, Spam, OWASP top 10, etc in real-time.

SQLi in PrestaShop
Astra’s Firewall Blocks Threats like SQLi in PrestaShop Websites

2. Monitor SQL Query Logs

It is essential to enable SQL query logging on your server. Don’t stop there. Always monitor the queries that your database executes. In case hacking occurs, identify the affected query from the logs and add data validation in the corresponding PHP file.

3. Update your PrestaShop Version Regularly

Outdated versions usually lack robust technical support, which makes it difficult to get bug fixes and security features for them. Outdated versions also don’t enjoy security updates.

Therefore, you should update to a newer version as soon as it old one rolls out. New releases have the latest security patches that may help prevent SQLi injection in your PrestaShop website.

4. Use Add-ons from Trusted Developers Only

Some developers sell their extensions to other companies. Such companies may end up updating the plugins with malicious features. They can then push the elements to the end-users. Even if a plugin is not malicious, some developers may collect and sell data from your website.

Therefore, always ensure that the plugin has gained trust in the industry. Look if it has genuine reviews from real users to ensure its code is clean and the developer can protect your data.

Get the ultimate PrestaShop security checklist with 300+ test parameters

Summing up

SQLi in PrestaShop and other web applications has risen steeply. More hackers are now gaining access to databases of e-commerce stores and websites in general, causing major serious difficulties. However, there are several ways to keep yourself at bay from such menaces. Using a hacker -tested firewall, sanitizing & validating input, monitoring query logs, are only some of them. Installing security patches, running the latest version of software, updating add-ons & themes regularly are some other security measures that go without saying. Additionally, always remember to check the credibility of an add-on and its developers before installing them.

That’s all. If you have some prevention technique working for you let us know in the comment box.

Was this post helpful?

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France).At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cybersecurity community and shared his knowledge at various forums & invited talks.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany