CVE-2022-36408: 
PHP vulnerability analysis and mitigation

PrestaShop, the leading open-source e-commerce solution in Europe and Latin America used by nearly 300,000 online merchants, disclosed a critical SQL injection vulnerability tracked as CVE-2022-36408. The vulnerability was discovered and disclosed on July 22, 2022, affecting PrestaShop versions 1.6.0.10 or greater. The flaw resulted from a lack of proper validation of user-supplied input in SQL queries (Security Online, Hacker News).

The vulnerability allows attackers to send crafted HTTP POST requests containing malicious SQL statements to affected applications. The attack chain involves targeting modules or older platform versions vulnerable to SQL injection exploits, particularly affecting the Wishlist 2.0.0 to 2.1.0 module. The attack process includes sending a POST request to a vulnerable endpoint followed by a parameter-less GET request to the homepage, which creates a 'blm.php' file at the root directory, functioning as a web shell for remote command execution (Bleeping Computer).

The exploitation of this vulnerability allows attackers to execute arbitrary instructions and potentially steal customers' payment information. After gaining control of a shop, attackers were observed injecting fake payment forms on the front-office checkout page, enabling them to capture customers' credit card information unknowingly sent to the attackers. In 2020, PrestaShop sites generated more than 22 billion euros in online sales, highlighting the potential scale of impact (Security Online, Hacker News).

PrestaShop released version 1.7.8.7 to address the vulnerability, which strengthens the MySQL Smarty cache storage against code injection attacks. Users are urged to upgrade all modules to the latest available versions and apply the security update immediately. Additionally, administrators are recommended to remove the MySQL Smarty cache storage feature if not needed, as it serves as part of the attack chain (Hacker News, Bleeping Computer).