OXID Security Bulletin 2016-001

The following vulnerability has been identified:

Synopsis

By sending specially craftet HTTP_POST or HTTP_GET requests to the oxuser class, an attacker can gain administrative access to OXID eShop via the storefront.

State

  • until now, no 0-day exploit is known
  • resolved, patch releases available
  • workaround available

Impact

An attacker can gain full administrative access to OXID eShop. This includes all shopping cart options, customer data and the database. They also can execute PHP code or inject malicious code into the system and the shop’s storefront. No interaction between the attacker and the victim is necessary.

Affected products, releases and platforms

Products:

  • OXID eShop Enterprise Edition (“EE”)
  • OXID eShop Professional Edition (“PE”)
  • OXID eShop Community Edition (“CE”)

Releases:

  • All OXID eShop versions up to 5.2.x (EE) and 4.9.x (PE, CE)

Platforms:

  • All releases are affected on all platforms

Resolution

The issue has already been resolved in the following releases:

  • OXID eShop Enterprise Edition v5.1.12
  • OXID eShop Enterprise Edition v5.2.9
  • OXID eShop Professional Edition v4.8.12
  • OXID eShop Professional Edition v4.9.9
  • OXID eShop Community Edition v4.8.12
  • OXID eShop Community Edition v4.9.9

Bug tracker entry (in private state until June 13th): https://bugs.oxid-esales.com/view.php?id=6385

Workarounds

Please note that a fix for end-of-life versions will not be provided. Please update your OXID eShop installation immediately. However, in case you can’t update quickly, you are safe if you apply the three workarounds described below. Applying only one or two of them is not sufficient!

I. Protect your admin

Protect your admin/ folder with an .htaccess file that avoids unauthorized browser access to the admin as described here: http://wiki.oxidforge.org/Tutorials/Best_Practice_Security_Actions#eShop-Configuration

II. Create a new admin user

Create a new admin user and delete the default one:

  1. Log in to the admin panel, go to Administer Users -> Users
  2. Create a new user with admin rights, activate this user and assign him to the user group Store Administrator
  3. Log out and log in to the admin panel again with the recently created user
  4. Append this string to your current URL: &cl=user_list&fnc=deleteentry&oxid=oxdefaultadmin and press the Enter key (you will see a fraction of the admin interface then, that’s ok)
  5. Close your browser, re-open it and log in to the admin panel again with the new admin user
  6. Check if the originally created admin is gone

Please also consider to watch this short screencast video about how to delete the
default admin user in OXID eShop: https://www.youtube.com/watch?v=xROwBurnSOM

III. Use a web application firewall

The vulnerability can be filtered with a web application firewall of your choosing, such as such as ModSecurity. With the help of our friends at SysEleven, we provide a rule set as an example implementation for ModSecurity:

SecRuleEngine On

SecTmpDir /tmp/
SecDataDir /tmp/

SecRequestBodyAccess On
SecArgumentSeparator &
SecCookieFormat 0

SecRule REQUEST_URI  "!@beginsWith /admin" "id:'9000000',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule REQUEST_BODY "@rx oxuser__oxid"    "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin" "id:'9000001',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule QUERY_STRING "@rx oxuser__oxid"    "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin" "id:'9000010',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule REQUEST_BODY "@rx oxuser__oxboni"  "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin" "id:'9000011',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule QUERY_STRING "@rx oxuser__oxboni"  "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin"  "id:'9000020',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule REQUEST_BODY "@rx oxuser__oxpoints" "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin"  "id:'9000021',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule QUERY_STRING "@rx oxuser__oxpoints" "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin" "id:'9000030',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule REQUEST_BODY "@rx oxaddress__oxid" "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin" "id:'9000031',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule QUERY_STRING "@rx oxaddress__oxid" "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin"     "id:'9000040',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule REQUEST_BODY "@rx oxaddress__oxuserid" "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin"     "id:'9000041',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule QUERY_STRING "@rx oxaddress__oxuserid" "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin"            "id:'9000050',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule REQUEST_BODY "@rx oxaddress__oxaddressuserid" "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin"            "id:'9000051',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule QUERY_STRING "@rx oxaddress__oxaddressuserid" "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin" "id:'9000100',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule REQUEST_BODY "@rx invadr\[oxid\]"  "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin" "id:'9000101',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule QUERY_STRING "@rx invadr\[oxid\]"  "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin"  "id:'9000110',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule REQUEST_BODY "@rx invadr\[oxboni\]" "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin"  "id:'9000111',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule QUERY_STRING "@rx invadr\[oxboni\]" "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin"    "id:'9000120',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule REQUEST_BODY "@rx invadr\[oxpoints\]" "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin"    "id:'9000121',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule QUERY_STRING "@rx invadr\[oxpoints\]" "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin" "id:'9000130',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule REQUEST_BODY "@rx deladr\[oxid\]"  "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin" "id:'9000131',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule QUERY_STRING "@rx deladr\[oxid\]"  "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin"    "id:'9000140',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule REQUEST_BODY "@rx deladr\[oxuserid\]" "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin"    "id:'9000141',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule QUERY_STRING "@rx deladr\[oxuserid\]" "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin"           "id:'9000150',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule REQUEST_BODY "@rx deladr\[oxaddressuserid\]" "t:urldecode,t:lowercase"

SecRule REQUEST_URI  "!@beginsWith /admin"           "id:'9000151',phase:2,deny,msg:'oxid patch',t:urldecode,t:lowercase,t:normalizePath,chain"
SecRule QUERY_STRING "@rx deladr\[oxaddressuserid\]" "t:urldecode,t:lowercase"

Please note that this rule set works if OXID eShop is installed in the Document Root of the web space. If it is installed in a subdirectory of the Document Root, and you would access the admin interface via www.yourdomain.com/shop/admin/, adapt the path to /shop/admin accordingly.

Please note that this is only possible if you or your integration partner has root access to the server. If you have no clue what this is about, please turn to your hosting provider.

We can’t guarantee that this workaround works on your environment. Some third party extensions might require to be able to trigger requests which are blocked by these rules. Use the filtering as a temporary solution only, and upgrade your shop to a supported version as soon as possible.

Credits

This security issue was found OXID developers. Also a big thanks to SysEleven’s security team for the ModSecurity support and @leofonic who pointed us to a necessary correction.

Stay up-to-date

To receive upcoming OXID Security Bulletins, please subscribe to the RSS feed: https://oxidforge.org/en/shop/development-security/feed.

How to report security issues

Learn how to report security issues in the Security overview page.