Security Bulletin 2018-001

The following vulnerability has been identified:

Synopsis

An attacker is able to bring servers to standstill by calling specially crafted URLs if OXID High Performance Option is activated and Varnish is used (denial of service/DoS).

State

  • until now, no 0-day exploit is known
  • resolved, patch releases as well as workarounds available

Impact

By entering specially crafted URLs, an attacker is able to bring the shop server to a standstill and hence, it stops working. This is only valid if OXID High Performance Option is activated and Varnish is used.

Affected products, releases and platforms

Products:

  • OXID eShop Enterprise Edition (“EE”)

Releases:

  • All OXID eShop versions up to 5.3.x
  • All OXID eShop 6 (version 6.0.0)

Platforms:

  • Named above releases are affected on all platforms

Resolution

The issue has already been resolved in the following releases:

  • OXID eShop Enterprise Edition v6.0.1
  • OXID eShop Enterprise Edition v5.3.7

Bug tracker entry (will remain in “private” state): https://bugs.oxid-esales.com/view.php?id=6678

Workarounds

Please apply the following fix to Varnish default.vcl state – vcl_recv:

This prevents from displaying any widget in widget except of oxwarticlebox which OXID uses in oxwarticledetails widget. However, please make sure your shop doesn’t use other widgets in a widget (that no widget return ESI include).

Credits

Many thanks to Timo Terhaar at Laudert. who found this security issue and immediately reported it.

Stay up-to-date

To receive upcoming OXID Security Bulletins, please subscribe to the RSS feed: https://oxidforge.org/en/shop/development-security/feed.

How to report security issues

Learn how to report security issues in the Security overview page.

 

0.00 avg. rating (0% score) - 0 votes


Start the discussion at OXID forums

Prior comments
1 reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *