Security Bulletin 2018-001

The following vulnerability has been identified:


An attacker is able to bring servers to standstill by calling specially crafted URLs if OXID High Performance Option is activated and Varnish is used (denial of service/DoS).


  • until now, no 0-day exploit is known
  • resolved, patch releases as well as workarounds available


By entering specially crafted URLs, an attacker is able to bring the shop server to a standstill and hence, it stops working. This is only valid if OXID High Performance Option is activated and Varnish is used.

Affected products, releases and platforms


  • OXID eShop Enterprise Edition (“EE”)


  • All OXID eShop versions up to 5.3.x
  • All OXID eShop 6 (version 6.0.0)


  • Named above releases are affected on all platforms


The issue has already been resolved in the following releases:

  • OXID eShop Enterprise Edition v6.0.1
  • OXID eShop Enterprise Edition v5.3.7

Bug tracker entry (will remain in “private” state):


Please apply the following fix to Varnish default.vcl state – vcl_recv:

if (req.esi_level > 1 && req.url !~ "&cl=oxwarticlebox") {
    return (synth(405, "Not allowed."));

This prevents from displaying any widget in widget except of oxwarticlebox which OXID uses in oxwarticledetails widget. However, please make sure your shop doesn’t use other widgets in a widget (that no widget return ESI include).


Many thanks to Timo Terhaar at Laudert. who found this security issue and immediately reported it.

Stay up-to-date

To receive upcoming OXID Security Bulletins, please subscribe to the RSS feed:

How to report security issues

Learn how to report security issues in the Security overview page.

3 replies

Trackbacks & Pingbacks

  1. […] Please note that this patch release contains a fix for a security issue with a CVSS of 4.9, only for OXID eShop Enterprise Edition, High Performance Option active and Varnish used. We will hand out more information about it in a few days with the security bulletin 2018-001. […]

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.