## Incident Report
Somewhere before 17 Feb 2026 9:37 UTC, an attacker began an SQL injection oracle attack on endpoint `/module/leoproductsearch/productsearch`.
It seems the attacker had some prior knowledge about this very uncommon endpoint (or had previously discovered the timing issue), as the endpoint doesn't return the values of the query even if injected.
Rather it can give a boolean oracle, an example injection query:
```
-9928" OR ORD(MID((SELECT IFNULL(CAST(last_connection_date AS NCHAR)%2C0x20) FROM presta.ps_employee ORDER BY email LIMIT 1%2C1)%2C8%2C1))%3E23--
```
This will provide the attacker the information that the second part of the query (since this is appended to the first original search query), returns a value.
I.e. a boolean oracle.
When combined with match statements such as `LIKE`, this allows the attacker to bruteforce a string (such as the employee's email) by trying different characters.
More than 8000 requests like this were made, which resulted in the following sequence of events:
- Attacker queries tangentially useful information:
- Employee's last connection date
- Employee's last password generation
- Employee's last name
- Employee's email (partial)
- Attacker then queries `reset_password_token` & `reset_password_validity` for the partial email to see if there are any active reset token
- There weren't at this point
- At 17 Feb [12:00] they seem to take a break, they continue at [20:53]
- At this point they switch modes to first search for the admin panel (which has an obfuscated URL) by querying `value` in `ps_configuration`
- At [21:07] and a few hundred requests later they seem to have gotten it, and call it a day.
- Around [08:27] the following day the attack requests a password reset, and starts brute forcing the `reset_password_token` & `reset_password_validity`
- Meanwhile our dutiful employee receives the password reset email at [~08:33], and notifies our IT team shortly after.
- Around [8:34] the attacker seems to have gotten the required information and logs into the admin panel
- [08:35] They check the general orders list, then head to the modules of the backend.
- [08:36] They upload a new module (`intadvlog`), which contains obfuscated code but seems to have the main purpose of allowing the uploading arbitrary files
- [08:45] Using this tool they replace/add files to the ps_facebook module to add the `/ps_facebook/upgrade/Upgrade-1.1.1.php` file which is the common database management tool [Adminer](https://www.adminer.org/en/)
- [08:47] They attempt to access the database (specifically the `ps_employee` table)
- but either failed (there is no indication they had the database password)
- or ended their exploits for the day
- [~10:45] We confirm an attack and disabled the hacked employee account and start investigating the exact breath/cause of the attack
- [~11:00] We take down the website in abundance of caution, having observed the logs of the attacker's post-exploitation
Viewing our logs the attackers goal seems to have been persistence (i.e. continuous access) and not direct data exfiltration.
Potentially to interfere with business transactions, randsom us, or to further pivot to different services later on.
What was exposed:
- Our dutiful employee's name & email
- For the most recent orders, general information which includes:
- Customer initials & last name
- Purchase amount
- Date of purchase
- Order status (delivered/paid/pending)
### Post Mortem
This was an exploit in a 3rd party vendors code (specifically [Leotheme](https://www.leotheme.com)). Unfortunately this also appears to be common with other vendors that use PHP as their language of choice.
> We attempted to report the issue to Leotheme but they haven't responded yet.
While modern PHP *can* be secure it often isn't, so we would like to avoid PHP in the future.
Likewise since we cannot reasonably trust Prestashop or it's associated modules to still be secure, we will have a temporary informational site as we transition to the new framework.
The new framework is built from the ground up to be fast & secure using [Rust](https://rust-lang.org/), and in fact you are most likely reading this on the new website right now!
In the mean time we plan to add the IP addresses used for the attack to [AbuseIPDB](https://www.abuseipdb.com/) as a large number of different IPs were used to make requests.
### What does this mean for you?
If you recently purchased something through our website, please be cautious of phising & consider that the order value is potentially known.
If you are awaiting an order, they will still be delivered as usual, just take into account there might be a slight delay in processing.
If you are looking to buy a new product, please contact [email protected], [any of our dealers](/dealers), or wait for the new website to be fully operational again.