Flawed session handling process exposed merchants to numerous vulnerabilities

PrestaShop users have been urged to upgrade to the latest version after researchers discovered a flaw in the way the eCommerce platform handles session data.

The bug, discovered by Ambionics Security and detailed in a technical write-up earlier this week, could allow an attacker to take over any customer session, steal business data, or gain full access to the administrator panel through cross-site request forgery.

According to Charles Fol of Ambionics, instead of using the usual PHP session ID and storing data locally, PrestaShop was found to be storing session data in a cookie without adequate encryption and a cryptographically weak signature.

“For the cookie not to get altered, a checksum is appended, and the whole thing is then ciphered,” Fol noted.

“The process is flawed and allows attackers to read and write session data and therefore hijack customers or employees’ sessions, resulting in partial or complete control over the website.”

Launched in 2007, PrestaShop is a popular eCommerce solution, powering more than 270,000 online stores.

The company was alerted to the vulnerability in May and fixed the issue in versions 1.6.1.20 and 1.7.3.4.

The latest version of PrestaShop (1.7.4.1) went live yesterday.