CVE-2024-36680 Overview
CVE-2024-36680 is a SQL Injection vulnerability affecting the "Facebook" module (pkfacebook) version 1.0.1 and earlier from Promokit.eu for PrestaShop. The vulnerability exists in the facebookConnect.php AJAX script, which contains a sensitive SQL call that can be executed with a trivial HTTP request and exploited to forge a SQL injection attack. This allows unauthenticated guests to perform unauthorized database queries against vulnerable PrestaShop installations.
Critical Impact
Unauthenticated attackers can exploit this SQL Injection vulnerability to extract sensitive data from the PrestaShop database, including customer information, payment details, and administrative credentials.
Affected Products
- PrestaShop Facebook Module (pkfacebook) version 1.0.1 and earlier
- PrestaShop installations using the Promokit.eu pkfacebook module
Discovery Timeline
- 2024-06-18 - Security advisory published by Friends of Presta
- 2024-06-19 - CVE-2024-36680 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-36680
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) exists due to improper neutralization of special elements used in SQL commands within the pkfacebook module. The vulnerable component, facebookConnect.php, processes user-supplied input without adequate sanitization before incorporating it into SQL queries. This allows attackers to inject malicious SQL statements that are executed against the underlying database.
The vulnerability is particularly concerning because it requires no authentication—any guest visitor can craft malicious HTTP requests to exploit the flaw. Successful exploitation grants attackers the ability to read sensitive database contents, potentially including customer personal data, order information, and administrative credentials stored in the PrestaShop database.
Root Cause
The root cause of CVE-2024-36680 is insufficient input validation and parameterization in the facebookConnect.php AJAX endpoint. The script constructs SQL queries using unsanitized user input, allowing attackers to manipulate query logic through specially crafted parameters. This represents a classic SQL Injection pattern where dynamic query construction without proper escaping or prepared statements enables database manipulation.
Attack Vector
The attack vector is network-based and requires no user interaction or prior authentication. An attacker can exploit this vulnerability by sending crafted HTTP requests to the facebookConnect.php endpoint. The vulnerability can be triggered remotely over the network with low attack complexity, making it accessible to attackers with minimal technical sophistication.
The vulnerability manifests in the AJAX handler for Facebook Connect functionality. Attackers can inject SQL commands through HTTP request parameters processed by the vulnerable script. For detailed technical analysis and proof-of-concept information, refer to the Friends of Presta Security Advisory.
Detection Methods for CVE-2024-36680
Indicators of Compromise
- Unusual or malformed HTTP requests to /modules/pkfacebook/facebookConnect.php containing SQL syntax characters
- Database query logs showing unexpected UNION SELECT, OR statements, or time-based payloads
- Evidence of data exfiltration through error-based or blind SQL injection techniques
- Abnormal server response times indicating time-based SQL injection attempts
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in requests to the pkfacebook module
- Monitor HTTP access logs for suspicious requests targeting facebookConnect.php with SQL metacharacters
- Deploy database activity monitoring to identify anomalous query patterns from the web application
- Use intrusion detection systems (IDS) with SQL injection signatures focused on PrestaShop installations
Monitoring Recommendations
- Enable detailed logging for the PrestaShop modules directory, particularly for AJAX endpoints
- Configure alerting for database errors that may indicate failed injection attempts
- Monitor for bulk data extraction patterns or unusually large query result sets
- Review web server logs for requests containing encoded SQL characters targeting module endpoints
How to Mitigate CVE-2024-36680
Immediate Actions Required
- Remove or disable the pkfacebook module (version 1.0.1 and earlier) from all PrestaShop installations immediately
- Audit database logs for evidence of exploitation and potential data compromise
- Review and reset administrative credentials if exploitation is suspected
- Implement WAF rules to block SQL injection attempts targeting the vulnerable endpoint
Patch Information
As of the published advisory, users should check with Promokit.eu for an updated version of the pkfacebook module that addresses this SQL Injection vulnerability. If no patch is available, the module should be removed entirely. Refer to the Friends of Presta Security Advisory for the latest remediation guidance.
Workarounds
- Disable or uninstall the pkfacebook module until a patched version is available
- Block access to facebookConnect.php at the web server level using access control directives
- Implement application-level input validation if module source code can be modified
- Deploy WAF rules specifically targeting SQL injection patterns in the affected endpoint
# Apache .htaccess example to block access to vulnerable endpoint
<Files "facebookConnect.php">
Require all denied
</Files>
# Nginx configuration to block vulnerable endpoint
location ~* /modules/pkfacebook/facebookConnect\.php$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
