CVE-2024-24310: SQL Injection Vulnerability in Ether Creation's "Generate Barcode on Invoice / Delivery Slip" Module for PrestaShop

A new critical vulnerability has just been discovered in the PrestaShop module from Ether Creation, "Generate barcode on invoice / delivery slip" (ecgeneratebarcode), version 1.2. or earlier. This vulnerability, assigned the CVE identifier CVE-2024-24310, allows a guest user to perform SQL injection attacks. In this post, we will discuss how the vulnerability occurs, the potential impact, and how to fix it, along with providing code snippets and links to the original references, for a better understanding.

Vulnerability Details

A significant issue in the "Generate barcode on invoice / delivery slip" module (ecgeneratebarcode) for PrestaShop was discovered, where a guest user can perform SQL injection attacks. SQL injection is a common security vulnerability where an attacker can inject malicious SQL code in a query, allowing them to execute arbitrary commands on the database and potentially access sensitive information or compromise the system.

The vulnerability exists due to improper input validation and lack of prepared statements when processing user-supplied data. Specifically, the generateBarcode function of the module does not validate or sanitize the user input before passing it to the SQL query.

Here is a sample code snippet showing the problematic SQL query in the generateBarcode function

public function generateBarcode($id_order) {
    ...
    $sql = 'SELECT * FROM ' . _DB_PREFIX_ . 'ec_barcode WHERE id_order = ' . (int)$id_order;
    ...
}

As we can see, the $id_order variable is directly added to the SQL query without proper validation or sanitation, allowing an attacker to manipulate the query by injecting SQL commands.

Exploit

An attacker can exploit this vulnerability by sending a crafted HTTP request containing malicious SQL code in the id_order parameter. For example:

http://example.com/module/ecgeneratebarcode/generate?id_order=<SQL_INJECTION_PAYLOAD_HERE>;

By successfully exploiting this vulnerability, an attacker can gain unauthorized access to sensitive data stored in the database, such as user credentials and customer information. This data can be potentially used for further attacks, identity theft, or other malicious purposes.

For more information about this vulnerability, you can refer to the following sources

1. CVE-2024-24310 on the National Vulnerability Database
2. PrestaShop Security Announcement

Mitigation & Patch

To resolve this vulnerability, you should update the "Generate barcode on invoice / delivery slip" module to the latest version. If you have already installed the module, it is highly recommended to upgrade to the most recent version to secure your system from potential attacks.

Moreover, developers should always validate and sanitize input data, using prepared statements, parameterized queries, or using the PrestaShop-specific function pSQL to prevent SQL injection.

Here's how the vulnerable code snippet could be fixed

public function generateBarcode($id_order) {
    ...
    $id_order = (int) $id_order;
    $sql = 'SELECT * FROM ' . _DB_PREFIX_ . 'ec_barcode WHERE id_order =' . $id_order;
    ...
}

Conclusion

It's essential to keep your PrestaShop modules up-to-date and apply any security patches as they become available. By staying vigilant and using best practices, you can ensure your eCommerce store remains safe and secure. In the case of CVE-2024-24310, updating the Ether Creation module to the latest version and following secure coding practices will help to mitigate any potential risks.

Timeline

Published on: 02/23/2024 22:15:54 UTC
Last modified on: 02/26/2024 13:42:22 UTC