We’d like to inform you that our team has found a critical security issue in OXID eShop all versions and all editions.
This issue has already been fixed, and the fix will be officially released later today, on June 13th 2016
- with OXID eShop Enterprise Edition 5.2.9 and 5.1.12 and
- with OXID eShop Professional and Community Edition version 4.9.9 and 4.8.12.
The corresponding security bulletin will also be published today, June 13th 2016.
Please note that a fix for end-of-life versions (< 4.8.0) will not be provided. There will also be no hotfix for patch releases (for example 4.9.2), please use the cumulative update package instead.
However, you are not directly vulnerable if you apply the two workarounds described below. Applying only one of the workarounds is not sufficient! After you applied these workarounds, please consider to update your installation to a fixed version as soon as possible. Upgrading and applying the security patch to your system is necessary to resolve the issue.
- Protect your admin
Protect your admin/ folder with an .htaccess file that avoids unauthorized browser access to the admin as described here: http://wiki.oxidforge.org/Tutorials/Best_Practice_Security_Actions#eShop-Configuration
- Create a new admin user
Create a new admin user and delete the default one:
- Log in to the admin panel, go to Administer Users -> Users
- Create a new user with admin rights, activate this user and assign him to the user group Store Administrator
- Log out and log in to the admin panel again with the recently created user
- Append this string to your current URL:
&cl=user_list&fnc=deleteentry&oxid=oxdefaultadminand press the Enter key (you will see a fraction of the admin interface then, that’s ok)
- Close your browser, re-open it and log in to the admin panel again with the new admin user
- Check if the originally created admin is gone
Please also consider to watch this short video about how to delete the default admin user in OXID eShop:
Close partners and clients as well as users that we know have already been informed.
As authors of extensions, please check immediately if your products are affected by the fix.
If you have questions they’ll be answered from today on after the patch release in our boards and mailing lists, and there will also be an FAQ list on https://oxidforge.org/en/faq-security-bulletin-2016-001.html.