CVE-2024-36680: SQL Injection Vulnerability in Facebook’s PrestaShop Module Exposes Thousands of E-commerce Sites to Credit Card Fraud

SQL Injection Exposure in Promokit.eu Threatens Facebook's PrestaShop Customers

PrestaShop is a free, open-source E-commerce platform launched in 2007. Built with PHP and MySQL, it offers customizable, scalable solutions for online stores. Features include product management, inventory tracking, and payment processing. Supporting multiple languages and currencies, it's ideal for small to medium businesses worldwide.

Built by Promokit, the pkFacebook add-on integrates PrestaShop with Facebook, enabling product catalog sync, dynamic ads, and Facebook Shop creation. It supports Facebook Pixel for tracking and optimizing ad performance, enhancing social media marketing and customer engagement, and driving more traffic and sales to PrestaShop stores.

A significant vulnerability, identified as CVE-2024-36680, was discovered in pkfacebook's facebookConnect.php Ajax script. The flaw enables remote attackers to execute SQL injection attacks through HTTP requests.

Proof of Concept

curl -v "https://preprod.X/modules/pkfacebook/ajax/facebookConnect.php?id=1";select(0x73656C65637420736C656570283432293B)INTO@a;prepare`b`from@a;execute`b`;--&email=test@test.fr

Cybercriminals are taking advantage of this vulnerability to install a card skimmer on susceptible e-commerce websites, allowing them to steal customers' credit card information.

Ignored Warnings

TouchWeb analysts identified the vulnerability on March 3 (2024). However, Promokit.eu claimed the issue was resolved "a long time ago" in 2022 when the patch for CVE-2022-36408 was published, yet offered no evidence to support this assertion.

Earlier this week, Friends-of-Presta released a proof-of-concept exploit for CVE-2024-36680, alerting that the vulnerability is being actively exploited. "This exploit is being used to deploy a web skimmer to steal credit card information on a large scale," they stated.

Regrettably, the developers have not provided Friends-of-Presta with the latest version to verify if the issue has been resolved. The most recent version available on Promokit's website is still 1.0.0, making it unclear if a patch has been issued.

Remediation Steps Provided by PrestaShop

Friends-of-Presta advises treating all versions prior to (and including) 1.0.1 as potentially affected and suggests these mitigation steps:

• Upgrade to the latest pkFacebook version, which disables multi-query executions, even though it doesn't protect against SQL injection via the UNION clause
• Use pSQL to prevent Stored XSS vulnerabilities, as it incorporates a strip_tags function for enhanced security
• Change the default "ps_" prefix to a longer, unique one to bolster security, although this isn't completely effective against highly skilled attackers
• Enable OWASP 942 rules on your Web Application Firewall (WAF)