CVE CyberSecurity Database News

CVE-2024-24310 - Critical SQL Injection In PrestaShop's "Generate barcode on invoice / delivery slip" (ecgeneratebarcode) Module

Poster -

CVE-2024-24310 is a serious security issue found in the "Generate barcode on invoice / delivery slip" PrestaShop module (ecgeneratebarcode) by Ether Creation, affecting versions up to and including 1.2.. This vulnerability allows a guest user—someone without authentication—to execute arbitrary SQL queries on the shop's database. Since PrestaShop is widely used for e-commerce, this poses a huge risk to affected stores, potentially leading to data theft, manipulation, or even complete site compromise. Let’s break down this flaw, look at a code sample, and show how attackers could exploit it.

What Is This Module?

The "Generate barcode on invoice / delivery slip" module lets shop owners print barcodes directly on invoices and delivery slips. It's popular because barcodes help manage stock and shipping processes. The vulnerable code lives in ecgeneratebarcode module versions 1.2. and below.

How Does the Vulnerability Work?

The problem is classic: SQL Injection. Somewhere in the module, user input (such as a URL parameter) gets inserted into a database query without proper filtering or escaping. That lets an attacker craft malicious input that tricks the database into running unauthorized commands.

Typical insecure PHP code inside the module could look like this

// Example vulnerable snippet in ecgeneratebarcode.php
$order_id = Tools::getValue('order_id'); // Not properly validated!
$sql = "SELECT * FROM "._DB_PREFIX_."orders WHERE id_order = $order_id";
$result = Db::getInstance()->getRow($sql);

Here’s the issue: $order_id comes directly from the user's request. If an attacker supplies something like '1 OR 1=1', the query becomes:

SELECT * FROM ps_orders WHERE id_order = 1 OR 1=1

which would return every single order. Worse still, with stacked queries or more advanced payloads, attackers could manipulate or leak sensitive data.

Who Is at Risk?

Any PrestaShop site using ecgeneratebarcode <= 1.2. is vulnerable—even if a user is not logged in.

Suppose the vulnerable script accepts a GET parameter called order_id

https://shop.example.com/modules/ecgeneratebarcode/barcode.php?order_id=1

An attacker could replace 1 with something malicious, like

https://shop.example.com/modules/ecgeneratebarcode/barcode.php?order_id=1%20UNION%20SELECT%20email,password%20FROM%20ps_customer--

If the module’s code doesn’t sanitize order_id, the attacker may see customers’ emails and password hashes in the barcode output, or fish for admin credentials.

A simple PoC for this attack (do not run on production!)

curl 'https://shop.example.com/modules/ecgeneratebarcode/barcode.php?order_id=1%20UNION%20SELECT%201,group_concat(email,x3a,password)%20FROM%20ps_customer--+'

This may cause the barcode image (or its error) to leak usernames and password hashes.

Data Theft: Attacker can dump user, product, or order data.

- Privilege Escalation: If admin hashes are retrieved, they can attempt to crack them and take over backend.
- Full Site Compromise: Attack chain can lead to uploading shells, deleting orders, or destroying the shop database.

- NVD CVE-2024-24310
- Original Exploit Report on GitHub
- Ether Creation ecgeneratebarcode Module

How To Fix

- Update the module! Ether Creation has released a patch. Upgrade to the latest version (check with your vendor or from here).
- Temporary measure: Disable the barcode module, or block access to /modules/ecgeneratebarcode/ via .htaccess until you can patch.
- Best Practice: Always validate and sanitize all user input, especially before including in a SQL query. Use prepared statements or PrestaShop's ORM.

Patched code should look like

$order_id = (int)Tools::getValue('order_id'); // Cast to integer!
$sql = "SELECT * FROM "._DB_PREFIX_."orders WHERE id_order = $order_id";
$result = Db::getInstance()->getRow($sql);

or even better, use prepared prepared queries.

Conclusion

CVE-2024-24310 is dangerous because it is simple to exploit and affects a business-critical module in many PrestaShop installations. If you’re using Ether Creation's barcode module, update *immediately* and audit any other modules for similar patterns. This issue is a textbook example of why input validation and never trusting user input remain core parts of secure web development.

Timeline

Published on: 02/23/2024 22:15:54 UTC
Last modified on: 08/28/2024 21:35:04 UTC