Security Bulletin 2017-002

The following vulnerability has been identified:

Synopsis

An attacker is able to overflow the shop database over the network, and hence make the shop stop working (denial of service/DoS).

State

  • until now, no 0-day exploit is known
  • resolved, patch releases available

Impact

By crawling specially crafted URLs (e.g. “forced browsing”), an attacker is able to overflow the database of the shop and this way make it stop working. Prerequisite: the shop allows rendering empty categories to the storefront by admin option.

Affected products, releases and platforms

Products:

  • OXID eShop Enterprise Edition (“EE”)
  • OXID eShop Professional Edition (“PE”)
  • OXID eShop Community Edition (“CE”)

Releases:

  • All OXID eShop versions up to 5.3.x (EE) and 4.10.x (PE, CE)
  • All OXID eShop 6 (up to RC2 versions)

Platforms:

  • All releases are affected on all platforms

Resolution

The issue has already been resolved in the following releases:

  • OXID eShop Enterprise Edition 5.2.11
  • OXID eShop Enterprise Edition 5.3.6
  • OXID eShop Enterprise Edition 6 RC3
  • OXID eShop Professional Edition 4.9.11
  • OXID eShop Professional Edition 4.10.6
  • OXID eShop Professional Edition 6 RC3
  • OXID eShop Community Edition 4.9.11
  • OXID eShop Community Edition 4.10.6
  • OXID eShop Community Edition 6 RC3

Bug tracker entry (in private state until November 2nd): https://bugs.oxid-esales.com/view.php?id=6678

Workarounds

Please download the fitting hotfix for your OXID eShop version and overwrite the existing files:

  • OXID eShop Enterprise Edition >= 5.0.3 | 5.1.x | 5.2.x | 5.3.x
  • OXID eShop Professionsl Edition >= 4.7.3 | 4.8.x | 4.9.x | 4.10.x
  • OXID eShop Community Edition >= 4.7.3 | 4.8.x | 4.9.x | 4.10.x

These files should be overwritten with the next update you install. OXID eShop Enterprise and Professional Edition users: please turn to support if you didn’t receive an information yet.

Credits

Many thanks to our Professional Services team, namely Gregor Clausen, who found this security issue and immediately reported it.

Stay up-to-date

To receive upcoming OXID Security Bulletins, please subscribe to the RSS feed: http://oxidforge.org/en/shop/development-security/feed.

How to report security issues

Learn how to report security issues in the Security overview page.

 

5.00 avg. rating (90% score) - 1 vote


0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *