OXID eShop version 4.8.8 (CE + PE) & 5.1.8 (EE)

General hints for this package

  • Runs on PHP 5.4 and PHP 5.3. Might run on PHP 5.2 (not tested any longer).


For installation instructions for the update package, please see


Template changes have been done in this patch release. Please find detailed information about template changes in “templ_docu_azure/index.html” of the package, and a tutorial about the template hierarchy and the override system here:

Fixed Bugs

New Features

No new features in this patch release

Important information for developers

Security improvement: Dynamic security token check

The dynamic security token parameter check was expanded to all forms and action URLs performed for logged in user. In the template forms this dynamic security token parameter is added automatically, together with a hidden session ID form element. Therefore standard or custom forms working with the [{$oViewConf->getHiddenSid()}] template getter do not require any changes.
Actions submitted via the GET method over a URL, require an additional dynamic security token parameter added to the action URL from this version on. Such actions are “To wishlist” or “To notice list” where the action is performed by a visitor clicking on the link instead of submitting a form. In this case the dynamic security token value could be accessed via the [{$oViewConf->getSessionChallengeToken()}] template getter. When updating the templates the dynamic security token parameter must be added not only for standard links, but also for any custom action link URLs.

For example your custom “To wishlist” link should be changed the following way:

Old link:
<a href="[{$oViewConf->getSelfLink()}]?fnc=towishlist&aid=[{$sProductId}]">To wishlist</a>

Updated link:
<a href="[{$oViewConf->getSelfLink()}]?fnc=towishlist&aid=[{$sProductId}]&stoken=[{$oViewConf->getSessionChallengeToken()}]">To wishlist</a>

Security improvement: changed the password encryption

As you might know, we used the cryptographic hash function MD5 plus an additional SALT hash in order to encrypt the user passwords in OXID eShop. Now MD5 became a bit outdated and for this reason, the security of a shop will not be certified. We decided to replace MD5 by the more modern cryptographic hash function SHA-2. Additionally the way the SALT hash was created was changed slightly.

No fear: your users will still have the possibility to log in properly, as long as your update ran through properly: we check the old and the new method, match if both hashes fit and let the user log in this way. There’s no need for requesting your users to re-new their passwords etc.

Changed method processUrl()

While fixing the bug #05809 the method oxUtilsUrl::processUrl() was changed. It checks now if an external URL is passed and if so it does not add parameters (like session and language) to it.

Encoding of captcha code

The encoding of captcha code was changed, ROT13 is not used any longer. New classes oxEncryptor and oxDecryptor were created for the usage of the captcha code encryption and decryption.

Full list of changes

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.