OXID Security Bulletin 2015-001

  • CVE identifier: CVE-2015-6926
  • CVSS score: 5.3
  • Release date: September 30th, 2015

The following vulnerability has been identified:

Synopsis

An attacker can deploy his own OpenID Identity Provider (IdP) issuing valid OpenID authentication tokens (OpenID supports the usage of arbitrary IdPs). The attacker’s IdP can issue tokens containing any email address within the token (this feature is allowed by the OpenID specification).

State

Resolved in OXID eShop version 4.5.0

Impact

An attacker can impersonate any other user on the system where OXID eShop is deployed. No interaction between the attacker and the victim is necessary.

Affected products, releases and platforms

Products:

  • OXID eShop Enterprise Edition (“EE”)
  • OXID eShop Professional Edition (“PE”)
  • OXID eShop Community Edition (“CE”)

Releases:

  • All releases OXID eShop versions 4.0.1.0, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8

Platforms:

  • All releases are affected on all platforms

Resolution

The issue has already been resolved in the following releases:

  • OXID eShop Professional Edition version 4.5.0
  • OXID eShop Enterprise Edition version 4.5.0
  • OXID eShop Community Edition version 4.5.0

Bug tracker entry: https://bugs.oxid-esales.com/view.php?id=6224

Workaround

  1. OXID eShop with version numbers < 4.3.0, please delete all files containing “openid” in their names and adept the following templates in order to hide the openID login:
    • out/basic/tpl/inc/cmp_login.tpl
    • out/basic/tpl/_right.tpl
    • out/basic/tpl/dyn/cmp_openidlogin_right.tpl
    • out/basic/tpl/user.tpl
  2. From OXID eShop version 4.3.0 on, it is possible to switch off the OpenID functionality via Admin panel => Master Settings => Core Settings => Settings => Shop frontend.
  3. Even better: update your installation to a present OXID eShop version.

Credits

Many thanks to M.Sc. Christain Mainka & Vladislav Mladenow (Horst Görtz Institute for IT-Security, Chair for Network and Data Security, Ruhr-University Bochum, Germany) for this report.

Stay up-to-date

To receive OXID Security Bulletins, please subscribe to the RSS feed: https://oxidforge.org/en/shop/development-security/feed.

How to report security issues

Learn how to report security issues in the Security overview page.