PrestaShop is a popular open source online store software. It helps thousands of businesses, big and small, manage and sell products over the Internet. Unfortunately, like all big software projects, sometimes serious security bugs show up. One of the biggest recent threats is called CVE-2023-39526. In this article, I’ll explain in plain English what this bug is, how it works, and why you absolutely must update your PrestaShop if you’re running an older version.
What’s the Issue? (A Quick Overview)
CVE-2023-39526 is a remote code execution (RCE) vulnerability in PrestaShop. That means a hacker could run any code they want on your server just by sending the right kind of data. The root cause is a SQL injection inside the PrestaShop “back office.” In short, attackers can inject malicious database commands, which result in the ability to write arbitrary files – including code files – onto your store.
Which Versions Are in Danger?
All PrestaShop versions before 1.7.8.10, 8..5, and 8.1.1 are affected.
DANGER: Everything older.
*(You can always find the latest releases directly from PrestaShop GitHub Releases)*
Let’s break it down step by step
1. Back Office Exposed: The attack works through the administrator section (“back office”) of PrestaShop. If your back office is accessible from the internet and you’re running a vulnerable version, you are at risk.
2. SQL Injection: Some part of the back office fails to properly “sanitize” inputs. This lets a hacker send a request that tricks PrestaShop into executing malicious SQL code.
3. Write Arbitrary Files: Using clever SQL payloads, attackers can force PrestaShop to write files anywhere on the web server. That could be a simple “webshell,” but it could also overwrite existing core files, causing more damage.
4. Remote Code Execution: Once a malicious file is on the server, attackers typically upload a PHP webshell, which lets them execute any command. Your server and data are then completely under their control.
Code Example: What An Attack Looks Like
Below is a *simplified* version of what a hacker might send. Please use this only for *learning* and *defensive* purposes.
Suppose the vulnerable code looks like this (example for educational value)
// Vulnerable backend call in PrestaShop (simplified for illustration)
$user_id = $_POST['user_id'];
// Directly putting user_id into SQL statement - dangerous!
$sql = "SELECT * FROM users WHERE id = $user_id";
$results = $db->query($sql);
An attacker can send a request such as
POST /admin/index.php HTTP/1.1
Host: target-prestashop.com
Content-Type: application/x-www-form-urlencoded
user_id=1; SELECT "<?php system($_GET['x']); ?>" INTO OUTFILE '/var/www/html/shell.php'
This would (if unfiltered!) create a file /var/www/html/shell.php with contents
<?php system($_GET['x']); ?>
Visiting https://target-prestashop.com/shell.php?x=ls would then let the attacker run any command!
Note: The real vulnerability lies in more complex code paths, but the gist is the same: unsanitized input allows SQL injection, leading to file writes.
8.1.1
If you’re running anything older, you are at *risk*. There are absolutely no workarounds. The only solution is to upgrade. Blocking the admin panel via firewall or strong .htaccess rules can help, but doesn’t fix the root cause.
Upgrade instructions are available at PrestaShop’s official site.
References and Further Reading
- PrestaShop Security Advisory
- CVE-2023-39526 on NIST
- Technical discussion/pre-disclosure on GitHub
Restrict admin access by IP address and use strong passwords.
4. Monitor for strange PHP files in your web root (look for files with recent timestamps or odd names).
Summary
*PrestaShop is a great e-commerce platform, but like all software it needs to be kept up-to-date*. CVE-2023-39526 is so serious that anyone running an old version could have their business completely compromised. Don’t hesitate – check your store, back it up, and upgrade now.
Your business depends on it!
If you have more technical questions about securing your PrestaShop, check with your hosting provider or the official PrestaShop community forums.
Timeline
Published on: 08/07/2023 21:15:00 UTC
Last modified on: 08/09/2023 20:18:00 UTC