CVE-2024-36684
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform SQL injection attacks on PrestaShop websites using the 'Custom links' module (pk_customlinks) version 2.3 or earlier. Attackers can execute arbitrary SQL commands through the ajax.php script, potentially compromising the entire database. All PrestaShop installations with this vulnerable module are affected.
💻 Affected Systems
- PrestaShop with pk_customlinks module
📦 What is this software?
Pk Customlinks by Prestashop
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data manipulation, privilege escalation to admin access, and potential remote code execution through database functions.
Likely Case
Data exfiltration of customer information, order data, and administrative credentials leading to further system compromise.
If Mitigated
Limited impact if database permissions are restricted, but still potential for data leakage from accessible tables.
🎯 Exploit Status
Simple HTTP request to ajax.php with malicious parameters can trigger SQL injection. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4 or later
Vendor Advisory: https://security.friendsofpresta.org/modules/2024/06/18/pk_customlinks.html
Restart Required: No
Instructions:
1. Update the pk_customlinks module to version 2.4 or later. 2. Remove the vulnerable ajax.php file if updating is not possible. 3. Clear PrestaShop cache after update.
🔧 Temporary Workarounds
Disable or remove vulnerable module
allTemporarily disable or completely remove the pk_customlinks module until patched
rm -rf modules/pk_customlinks/
Disable via PrestaShop admin panel: Modules > Module Manager > Custom links > Disable
Block access to ajax.php
linuxRestrict access to the vulnerable ajax.php file using web server configuration
# Apache: <Location /modules/pk_customlinks/ajax.php> Require all denied </Location>
# Nginx: location ~ /modules/pk_customlinks/ajax\.php$ { deny all; }
🧯 If You Can't Patch
- Implement WAF rules to block SQL injection patterns targeting the ajax.php endpoint
- Restrict database user permissions to minimize potential damage from successful exploitation
🔍 How to Verify
Check if Vulnerable:
Check if modules/pk_customlinks/ajax.php exists and module version is <= 2.3 in PrestaShop admin panel or module directoryCheck Version:
grep -r 'version' modules/pk_customlinks/ || check PrestaShop admin panel Modules sectionVerify Fix Applied:
Verify module version is >= 2.4 and test ajax.php endpoint with SQL injection payloads (in safe environment)📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in web server logs
- Multiple requests to /modules/pk_customlinks/ajax.php with SQL keywords
- Database error logs showing unexpected queries
Network Indicators:
- HTTP requests to ajax.php containing SQL injection patterns (UNION, SELECT, etc.)
- Abnormal database traffic from web server
SIEM Query:
source="web_logs" AND uri="/modules/pk_customlinks/ajax.php" AND (query="*UNION*" OR query="*SELECT*" OR query="*INSERT*")