Security Bulletin 2017-001

  in / 
  ,

The following vulnerability has been identified:

Synopsis

Under certain pre-conditions an attacker would be able to hijack the cart session of a client via a Cross-Site Request Forgery (CSRF).

State

  • until now, no 0-day exploit is known
  • resolved, patch releases available

Impact

An attacker could alter a shop customer’s cart content if the following pre-conditions are met:

  • An attacker knows which shop is presently used by the client.
  • An attacker knows the exact time when the customer will add product items to the cart.
  • An attacker knows which product items are already in the cart (has to know their article IDs).
  • An attacker would be able to trick user into clicking a button (submit form) of an e-mail or remote site within the period of visiting the shop and placing an order.

Affected products, releases and platforms

Products:

  • OXID eShop Enterprise Edition (“EE”)
  • OXID eShop Professional Edition (“PE”)
  • OXID eShop Community Edition (“CE”)

Releases:

  • All OXID eShop versions up to 5.3.x (EE) and 4.10.x (PE, CE)
  • All OXID eShop v6 (beta and RC1 versions)

Platforms:

  • All releases are affected on all platforms

Resolution

The issue has already been resolved in the following releases:

  • OXID eShop Enterprise Edition v5.2.10
  • OXID eShop Enterprise Edition v5.3.5
  • OXID eShop Enterprise Edition v6.0.0 RC2 (not released yet)
  • OXID eShop Professional Edition v4.9.10
  • OXID eShop Professional Edition v4.10.5
  • OXID eShop Professional Edition v6.0.0 RC2 (not released yet)
  • OXID eShop Community Edition v4.9.10
  • OXID eShop Community Edition v4.10.5
  • OXID eShop Community Edition v6.0.0 RC2 (not released yet)

Bug tracker entry (in private state until August 16th): https://bugs.oxid-esales.com/view.php?id=6674

Workarounds

As the severity and the potential of data loss or harm is very low, we will not provide a workaround.
Please note that a fix for end-of-life versions will not be provided. Please update your OXID eShop installation.

Credits

Thanks a lot to the ifixit security team, who got this information from a security researcher, validated it and immediately reported it to us.

Stay up-to-date

To receive upcoming OXID Security Bulletins, please subscribe to the RSS feed: http://oxidforge.org/en/shop/development-security/feed.

How to report security issues

Learn how to report security issues in the Security overview page.



You might also like
PHPMailer Logo OXID eShop version 6.0.2
PHPMailer Logo OXID eShop version 4.7.1 (CE + PE) & 5.0.1 (EE)
PHPMailer Logo Security bulletin: 2011-001
PHPMailer Logo OXID eShop version 4.4.5
PHPMailer Logo OXID eShop version 4.1.4
PHPMailer Logo PHPMailer < 5.2.21 Remote Code Execution: OXID eShop is safe!