Security bulletin: 2010-003

Released: August 25th, 2010

The following issue has been identified:

Synopsis

We found the possibility of so called “Reflected XSS Attacks”. Reflected attacks are those where the injected code is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. When a user is tricked into clicking on a malicious link or submitting a specially crafted form, the injected code travels to the vulnerable web server, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a “trusted” server. No malicious JavaScript code is stored on the server.

State

Resolved in OXID eShop version 4.4.2.

Impact

By sending a specially crafted JavaScript code, unauthorized users may gain access to another user’s session.

No exploits are known as of today.

Affected products, releases and platforms

Products:

  • OXID eShop Professional Edition
  • OXID eShop Enterprise Edition
  • OXID eShop Community Edition

Releases:

  • Professional, Enterprise and Community Edition: 4.0.0.0_13895, 4.0.0.0_13934, 4.0.0.0_14260, 4.0.0.1_14455, 4.0.0.2_14842, 4.0.0.2_14967, 4.0.1.0_15990, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.4.0 and 4.4.1

Platforms:

  • Above releases are affected on all platforms.

Note: Older releases than the ones mentioned might as well be affected. They are considered end of life and will not be supported further.

Resolution

The issue has been addressed in the following releases:

  • OXID eShop Professional Edition version 4.4.2
  • OXID eShop Enterprise Edition version 4.4.2
  • OXID eShop Community Edition version 4.4.2

Note: Users of the legacy <= 2.7.0.3 and <= 3.0.4.1 releases will not be provided with a fix. These versions are considered end of life and will not be supported further.

Workaround

For all users with any edition and version of OXID eShop it is highly recommended, to protect the admin panel with a .htaccess protection. Read more about .htaccess and other server site precaution in this tutorial: http://wiki.oxidforge.org/Tutorials/Best_Practice_Security_Actions

Credits

Many thanks to Heiko Frenzel for the hint!

Stay up-to-date

To receive upcoming OXID Security Bulletins, please subscribe to the mailing lists or the Announcement forum

How to report security issues

Learn how to report security issues in the Security overview page.

 

0.00 avg. rating (0% score) - 0 votes
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *