Security bulletin: 2014-003

  0 Comments/in / 
  ,

This bulletin has been assigned a CVE identifier of CVE-2014-4919
CVSS score 4.1
Released: July 29th, 2014

The following issue has been identified:

Synopsis

A possibility to assign to any user group, except admin group, without admin confirmation has been found in OXID eShop all editions, all former versions.

State

Resolved in OXID eShop version 4.7.13/5.0.13 and OXID eShop version 4.8.7/5.1.7

Impact

An attacker can trick a user to click on a mal-formed link and assign user to any pre-defined dynamical user group of the shop or user can assign himself to any user group that theoretically can be used to block access to the shop or gain unauthorized access to privileges of user group.

A possible exploit could lead to:

  • blocking user from accessing shop;
  • letting user do more than user is supposed to do.

Affected products, releases and platforms

Products:

  • OXID eShop Enterprise Edition
  • OXID eShop Professional Edition
  • OXID eShop Community Edition

Releases:

  • All previous releases

Platforms:

  • All releases are affected on all platforms.

Resolution

The issue has been addressed in the following releases:

  • OXID eShop Professional Edition version 4.7.13 and 4.8.7
  • OXID eShop Enterprise Edition version 5.0.13 and 5.1.7
  • OXID eShop Community Edition version 4.7.13 and 4.8.7

Bug tracker entry: https://bugs.oxid-esales.com/view.php?id=5814

Workaround

For OXID eShops <= version 5.1 (EE) and 4.8 (PE, CE)

1. Please go to eShop Admin->Master Settings->Core Settings->System->Other Settings and find a field Prohibited User Groups for dynamic User Group assignment using “dgr” URL param.

Add all User Group IDs there, which you want to be unassignable using “dgr” URL parameter.

Default User Group IDs in OXID eShop are:
oxidblacklist
oxidsmallcust
oxidmiddlecust
oxidgoodcust
oxidforeigncustomer
oxidnewcustomer
oxidpowershopper
oxiddealer
oxidnewsletter
oxidadmin
oxidpriceb
oxidpricea
oxidpricec
oxidblocked
oxidcustomer
oxidnotyetordered

Credits

The security issue has been found during one of our regular security audits.

Stay up-to-date

To receive upcoming OXID Security Bulletins, please subscribe to the mailing lists or the Announcement forum

How to report security issues

Learn how to report security issues in the Security overview page.



You might also like
OXID eShop v6.0.0 RC1 (partner release) is published
[WICHTIG] Info über kritische Sicherheitslücke im OXID eShop
OXID eShop version 4.8.1 (CE + PE) & 5.1.1 (EE)
OXID eShop version 4.9.1 (CE + PE) & 5.2.1 (EE)
How to (quickly) port a module to OXID eShop 6.0
OXID eShop version 6.1.3

Start the discussion at OXID forums