Security Bulletin 2017-001

  in / 
  ,

The following vulnerability has been identified:

Synopsis

Under certain pre-conditions an attacker would be able to hijack the cart session of a client via a Cross-Site Request Forgery (CSRF).

State

  • until now, no 0-day exploit is known
  • resolved, patch releases available

Impact

An attacker could alter a shop customer’s cart content if the following pre-conditions are met:

  • An attacker knows which shop is presently used by the client.
  • An attacker knows the exact time when the customer will add product items to the cart.
  • An attacker knows which product items are already in the cart (has to know their article IDs).
  • An attacker would be able to trick user into clicking a button (submit form) of an e-mail or remote site within the period of visiting the shop and placing an order.

Affected products, releases and platforms

Products:

  • OXID eShop Enterprise Edition (“EE”)
  • OXID eShop Professional Edition (“PE”)
  • OXID eShop Community Edition (“CE”)

Releases:

  • All OXID eShop versions up to 5.3.x (EE) and 4.10.x (PE, CE)
  • All OXID eShop v6 (beta and RC1 versions)

Platforms:

  • All releases are affected on all platforms

Resolution

The issue has already been resolved in the following releases:

  • OXID eShop Enterprise Edition v5.2.10
  • OXID eShop Enterprise Edition v5.3.5
  • OXID eShop Enterprise Edition v6.0.0 RC2 (not released yet)
  • OXID eShop Professional Edition v4.9.10
  • OXID eShop Professional Edition v4.10.5
  • OXID eShop Professional Edition v6.0.0 RC2 (not released yet)
  • OXID eShop Community Edition v4.9.10
  • OXID eShop Community Edition v4.10.5
  • OXID eShop Community Edition v6.0.0 RC2 (not released yet)

Bug tracker entry (in private state until August 16th): https://bugs.oxid-esales.com/view.php?id=6674

Workarounds

As the severity and the potential of data loss or harm is very low, we will not provide a workaround.
Please note that a fix for end-of-life versions will not be provided. Please update your OXID eShop installation.

Credits

Thanks a lot to the ifixit security team, who got this information from a security researcher, validated it and immediately reported it to us.

Stay up-to-date

To receive upcoming OXID Security Bulletins, please subscribe to the RSS feed: http://oxidforge.org/en/shop/development-security/feed.

How to report security issues

Learn how to report security issues in the Security overview page.



You might also like
OXID eShop version 4.10.6 (CE + PE) & 5.3.6 (EE)
OXID eShop version 4.3.1
OXID eShop version 4.6.2
OXID eShop version 4.6.4
OXID eShop v6.0.0 RC1 (partner release) is published
OXID eShop version 4.5.9