Security Bulletin 2019-001
This article is available in German as well.
- OXID Security Bulletin 2019-001
- CVE Identifier: CVE-2019-13026
- CVSS Score: 7.5
The following vulnerability has been identified:
Synopsis
With a specially crafted URL, an attacker would be able to gain full access to the administration panel.
State
- until now, no 0-day exploit is known
- resolved, patch releases available on July 30th
- workaround available
Impact
An attacker can gain full access to an OXID eShop installation. This includes all shopping cart options, customer data and the database. No interaction between the attacker and the victim is necessary.
Affected products, releases and platforms
Products:
- OXID eShop Enterprise Edition (“EE”)
- OXID eShop Professional Edition (“PE”)
- OXID eShop Community Edition (“CE”)
Releases:
- OXID eShop EE, PE and CE v6.0.0 – v6.0.4
- OXID eShop EE, PE and CE v6.1.0 – v6.1.3
Platforms:
- Named above releases are affected on all platforms
Resolution
The issue has been resolved in the following releases:
- OXID eShop Enterprise Edition v6.1.4
- OXID eShop Professional Edition v6.1.4
- OXID eShop Community Edition v6.1.4
- OXID eShop Enterprise Edition v6.0.5
- OXID eShop Professional Edition v6.0.5
- OXID eShop Community Edition v6.0.5
Bug tracker entry (will remain in “private” state until July 30th): https://bugs.oxid-esales.com/view.php?id=7002
Workarounds
Please note that a fix for end-of-life versions will not be provided as they are not affected. If you run one of the affected versions, please update your OXID eShop to v6.0.5 or 6.1.4 immediately. However, in case you can’t update quickly, you are safe if you apply the workaround described here:
Add the following mod_rewrite rules right after RewriteBase / in source/.htaccess line 4:
RewriteCond %{QUERY_STRING} \bsorting=[^\&\=]*[^a-z]+[^\&\=]*(\&|$) [NC]
RewriteRule .* - [F]
Use this blocking as a temporary solution only, and upgrade your shop to a supported version as soon as possible.
Credits
This security issue was found by security researchers at ripstech.com. Also many thanks to SysEleven’s security team for their helping hands.
Stay up-to-date
To receive upcoming OXID Security Bulletins, please subscribe to the RSS feed: https://oxidforge.org/en/shop/development-security/feed.
How to report security issues
Learn how to report security issues in the Security overview page.
FAQ
How do I know if I have been hacked?
There is an admin user you do not know. His name and e-mail address is unknown to you. You can find this information by executing the following SQL query:
SELECT oxid, oxusername, oxcreate, oxtimestamp FROM oxuser WHERE oxrights='malladmin';
What can a hacker do?
An attacker will gain administrative rights, and hence will get the full power of a regular shop admin. This includes changing the shop’s settings, product data, prices, discounts, but also to execute PHP code and SQL queries, inject malicious code into the storefront templates, get the customer data, including the salted password and the salt itself etc.
What can I do if I have been hacked?
We strongly recommend to take all of the following initiatives:
Apply workarounds
Apply the workaround proposed in this Security Bulletin 2019-001 in order to stop further attacks.
Backup data and files for investigation
Create local copies of your data and files for later investigation. This includes the application code including extensions, the log files (database server, web server, system, PHP logs, etc) and a database dump. Upload a clean version of OXID eShop and all the extensions you use. Check the log files for suspicious messages. Check the application and extension code for malicious code. Check the system for backdoors.
Further reading:
- https://blog.sucuri.net/2014/02/php-backdoors-hidden-with-clever-use-of-extract-function.html
- https://web.archive.org/web/20160428212318/https://aw-snap.info/articles/backdoor-examples.php
- http://pentestmonkey.net/tools/web-shells/php-reverse-shell
- https://cheatsheetseries.owasp.org/cheatsheets/PHP_Configuration_Cheat_Sheet.html
Inform your customers
Urge all customers to change their passwords immediately, and also change the password if they re-used the shop’s password somewhere else.
Reset the default admin’s password
UPDATE oxuser SET oxusername='###YOUR EMAIL HERE###', oxpassword='xxx' WHERE oxid='oxdefaultadmin';
Then trigger the password reset process in the storefront.
Change SMTP password
Change the SMTP password if set in the administration panel.
Revert unauthorized changes
Clean your shop settings from any changes (discounts, vouchers, …)
How to stop the leak?
- Apply the workaround proposed in this security bulletin in order to stop further attacks
- Update your OXID eShop installation as soon as possible
How widespread is this?
So far we are not aware of an attack. We informed our customers, partners and friends in advance about the issue, so they could take measures before the issue became public.
Can my web hosting provider detect or block this attack?
Yes: the workaround proposed above in this security bulletin can be set globally and hence is valid for all installations on the server.
Does SSL certificate usage mitigate this?
No, but you should use SSL certificates nevertheless to prevent other attacks.
Using the workaround leaves our site unreachable with error 500. Hm… I’ll try again.