Security Bulletin 2019-001

This article is available in German as well.

The following vulnerability has been identified:

Synopsis

With a specially crafted URL, an attacker would be able to gain full access to the administration panel.

State

  • until now, no 0-day exploit is known
  • resolved, patch releases available on July 30th
  • workaround available

Impact

An attacker can gain full access to an OXID eShop installation. This includes all shopping cart options, customer data and the database. No interaction between the attacker and the victim is necessary.

Affected products, releases and platforms

Products:

  • OXID eShop Enterprise Edition (“EE”)
  • OXID eShop Professional Edition (“PE”)
  • OXID eShop Community Edition (“CE”)

Releases:

  • OXID eShop EE, PE and CE v6.0.0 – v6.0.4
  • OXID eShop EE, PE and CE v6.1.0 – v6.1.3

Platforms:

  • Named above releases are affected on all platforms

Resolution

The issue has been resolved in the following releases:

  • OXID eShop Enterprise Edition v6.1.4
  • OXID eShop Professional Edition v6.1.4
  • OXID eShop Community Edition v6.1.4
  • OXID eShop Enterprise Edition v6.0.5
  • OXID eShop Professional Edition v6.0.5
  • OXID eShop Community Edition v6.0.5

Bug tracker entry (will remain in “private” state until July 30th): https://bugs.oxid-esales.com/view.php?id=7002

Workarounds

Please note that a fix for end-of-life versions will not be provided as they are not affected. If you run one of the affected versions, please update your OXID eShop to v6.0.5 or 6.1.4 immediately. However, in case you can’t update quickly, you are safe if you apply the workaround described here:

Add the following mod_rewrite rules right after RewriteBase / in source/.htaccess line 4:

RewriteCond %{QUERY_STRING} \bsorting=[^\&\=]*[^a-z]+[^\&\=]*(\&|$) [NC]
RewriteRule .* - [F]

Use this blocking as a temporary solution only, and upgrade your shop to a supported version as soon as possible.

Credits

This security issue was found by security researchers at ripstech.com. Also many thanks to SysEleven’s security team for their helping hands.

Stay up-to-date

To receive upcoming OXID Security Bulletins, please subscribe to the RSS feed: https://oxidforge.org/en/shop/development-security/feed.

How to report security issues

Learn how to report security issues in the Security overview page.

FAQ

There is an admin user you do not know. His name and e-mail address is unknown to you. You can find this information by executing the following SQL query:

SELECT oxid, oxusername, oxcreate, oxtimestamp FROM oxuser WHERE oxrights='malladmin';

An attacker will gain administrative rights, and hence will get the full power of a regular shop admin. This includes changing the shop’s settings, product data, prices, discounts, but also to execute PHP code and SQL queries, inject malicious code into the storefront templates, get the customer data, including the salted password and the salt itself etc.

We strongly recommend to take all of the following initiatives:

Apply workarounds

Apply the workaround proposed in this Security Bulletin 2019-001 in order to stop further attacks.

Backup data and files for investigation

Create local copies of your data and files for later investigation. This includes the application code including extensions, the log files (database server, web server, system, PHP logs, etc) and a database dump. Upload a clean version of OXID eShop and all the extensions you use. Check the log files for suspicious messages. Check the application and extension code for malicious code. Check the system for backdoors.

Further reading:

Inform your customers

Urge all customers to change their passwords immediately, and also change the password if they re-used the shop’s password somewhere else.

Reset the default admin’s password

UPDATE oxuser SET oxusername='###YOUR EMAIL HERE###', oxpassword='xxx' WHERE oxid='oxdefaultadmin';
Then trigger the password reset process in the storefront.

Change SMTP password

Change the SMTP password if set in the administration panel.

Revert unauthorized changes

Clean your shop settings from any changes (discounts, vouchers, …)

  • Apply the workaround proposed in this security bulletin in order to stop further attacks
  • Update your OXID eShop installation as soon as possible

So far we are not aware of an attack. We informed our customers, partners and friends in advance about the issue, so they could take measures before the issue became public.

Yes: the workaround proposed above in this security bulletin can be set globally and hence is valid for all installations on the server.

No, but you should use SSL certificates nevertheless to prevent other attacks.

 

 



Replies

  1. This one is really important if you use #oxid6. Please update immediately and/or use the workaround provided at https://oxidforge.org/en/security-bulletin-2019-001.html#workarounds

    There are already several rank growth blog posts and press releases about this vulnerability around in the hacker and security scene. Please secure your #oxid6 ASAP!

    Comments to this thread shall be possible for registered forum members, pls feel free to ask your questions. If unexpectedly impossible, send me a PM, cheers!

Continue the discussion at --> OXID forums

Participants

Prior comments
25 replies

Trackbacks & Pingbacks

  1. […] Kritische Sicherheitslücke: Security Bulletins 2019-001 […]

  2. […] responsibly reported their findings to OXID eShops, and the company acknowledged the issue and addressed it with the release of OXID eShop v6.0.5 and 6.1.4 for all three […]

  3. […] 6.0.5 bzw. 6.1.4 erforderlich, in denen das Problem behoben wurde. Alternativ wird von OXID eine provisorische Notlösung […]

  4. Critical Flaws in ‘OXID eShop’ Software Expose eCommerce Sites to Hacking – ThomsonDaileys says:

    […] responsibly reported their findings to OXID eShops, and the company acknowledged the issue and addressed it with the release of OXID eShop v6.0.5 and 6.1.4 for all three […]

  5. Critical Flaws in 'OXID eShop' Software Expose eCommerce Sites to Hacking - DEEPWEBKID says:

    […] responsibly reported their findings to OXID eShops, and the company acknowledged the issue and addressed it with the release of OXID eShop v6.0.5 and 6.1.4 for all three […]

  6. […] RIPS的研究人员负责向Oxid ESHOP报告他们的研究结果,公司承认这一问题,并在Oxid ESHOP 6.0.5版和6.1.4版中对这三个版本进行了说明。 […]

  7. […] responsibly reported their findings to OXID eShops, and the company acknowledged the issue and addressed it with the release of OXID eShop v6.0.5 and 6.1.4 for all three […]

  8. […] a fix. They have acknowledged the vulnerability having CVE identifier CVE-2019-13026 in their security bulletin. According to the vulnerability […]

  9. […] The security warning published yesterday by OXID call it that Versions from 6.0.0 to 6.0.4 and from 6.1.0 to 6.1.3 as vulnerable. Both the community ("CE") and the company ("EE") – and the Professional Edition ("PE") of the store software are affected. […]

  10. […] responsibly reported their findings to OXID eShops, and the company acknowledged the issue and addressed it with the release of OXID eShop v6.0.5 and 6.1.4 for all three […]

  11. […] responsibly reported their findings to OXID eShops, and the company acknowledged the issue and addressed it with the release of OXID eShop v6.0.5 and 6.1.4 for all three […]

  12. […] responsibly reported their findings to OXID eShops, and the company acknowledged the issue and addressed it with the release of OXID eShop v6.0.5 and 6.1.4 for all three […]

  13. […] responsibly reported their findings to OXID eShops, and the company acknowledged the issue and addressed it with the release of OXID eShop v6.0.5 and 6.1.4 for all three […]

  14. […] responsibly reported their findings to OXID eShops, and the company acknowledged the issue and addressed it with the release of OXID eShop v6.0.5 and 6.1.4 for all three […]

  15. […] responsibly reported their findings to OXID eShops, and the company acknowledged the issue and addressed it with the release of OXID eShop v6.0.5 and 6.1.4 for all three […]

  16. […] responsibly reported their findings to OXID eShops, and the company acknowledged the issue and addressed it with the release of OXID eShop v6.0.5 and 6.1.4 for all three […]

  17. […] is potential through the use of a specifically crafted URL, the corporate says within the safety bulletin, with no interplay with the […]

  18. […] responsibly reported their findings to OXID eShops, and the company acknowledged the issue and addressed it with the release of OXID eShop v6.0.5 and 6.1.4 for all three […]

  19. Critical Flaws in ‘OXID eShop’ Software Expose eCommerce Sites to Hacking – AnonymousMedia says:

    […] responsibly reported their findings to OXID eShops, and the company acknowledged the issue and addressed it with the release of OXID eShop v6.0.5 and 6.1.4 for all three […]

  20. […] Security Bulletin 2019-001 […]

  21. […] Security Bulletin 2019-001 […]

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *