{"id":15788,"date":"2022-08-04T09:48:07","date_gmt":"2022-08-04T07:48:07","guid":{"rendered":"https:\/\/www.transparentedge.eu\/blog\/prestashop-vulnerabilidad-seguridad-1\/"},"modified":"2024-08-23T14:44:24","modified_gmt":"2024-08-23T12:44:24","slug":"prestashop-vulnerability","status":"publish","type":"post","link":"https:\/\/www.transparentedge.eu\/en\/blog\/prestashop-vulnerability\/","title":{"rendered":"PrestaShop: security vulnerability"},"content":{"rendered":"

PrestaShop<\/span><\/a>, the company that gives name to the famous CMS (content management system) in open source, has reported a vulnerability in the safety of their product, that allowed the execution of arbitrary code on the servers that give support to websites based on it. In scenarios like this, a next generation WAF becomes highly important. Let us explain.\u00a0<\/span><\/p>\n

PRESTASHOP: VULNERABILITY DUE TO AN SQL INJECTION<\/b><\/h2>\n

INJECTING MALICIOUS CODE<\/span><\/h3>\n

PrestaShop\u2019s CMS is a solution preferred by a large number of people in the construction of their e-commerce platforms. According to the company itself, approximately 300.000 online businesses are based on their software solution, especially in Europe and Latin America.\u00a0<\/span><\/p>\n

The exploitation of this vulnerability and the subsequent injection of malicious code will give the attacker the ability of gathering confidential information referring to the clients of these e-commerce platforms. This information includes banking details of said clients.\u00a0<\/span><\/p>\n

The vulnerability, which has been categorized as <\/span>CVE-2022-36408<\/span><\/a>, is a vulnerability by SQL injection or SQLi. According to the data given by the company, it affects versions of their product from v1.6.0.10 onwards. PrestaShop has repaired it from version v1.7.8.7, although they can\u2019t guarantee that this is the only way of executing the attack.\u00a0<\/span><\/p>\n

And, even if you do have to<\/span> update the software<\/span><\/a>, with its corresponding security patches, such as we recommend at Transparent Edge, it\u2019s also useful to consider the great relevance of a WAF (<\/span>web application firewall<\/span>).<\/span><\/p>\n

WAF AGAINST MALICIOUS TRAFFIC<\/span><\/h3>\n

A WAF is, first of all, a security tool, a firewall that analyzes and, when necessary, intercepts and blocks malicious HTTP traffic (such as attempts of SQLi and others), to and from a web application, such as the case of an e-commerce platform based on PrestaShop.\u00a0<\/span><\/p>\n

Integrated into our next-generation CDN, our WAF is completely configurable from our dashboard.\u00a0<\/span><\/p>\n

Declaratively, and through a limited set of<\/span> HTTP headers<\/span><\/a>, it\u2019s possible, among other things:\u00a0<\/span><\/p>\n