Headline
CVE-2023-38330: Security-Bulletins — OXID eSales Dokumentation
OXID eShop Enterprise Edition 6.5.0 – 6.5.2 before 6.5.3 allows uploading files with modified headers in the administration area. An attacker can upload a file with a modified header to create a HTTP Response Splitting attack.
Unsere Security-Bulletins sind nur auf Englisch verfügbar.
SECURITY BULLETIN 2023-002
August 01, 2023
CVE Identifier: CVE-2023-38330
CVSS Score: 6.7
SYNOPSIS
The affected versions allow uploading files with modified headers in the administration area.
STATE
The issue is resolved, a patch release is available as of July 25, 2023.
IMPACT
An attacker can upload a file with modified header to create a HTTP Response Splitting attack.
AFFECTED PRODUCTS, RELEASES, AND PLATFORMS
Products
- OXID eShop Enterprise Edition
Releases
- 6.5.0 – 6.5.2
Platforms
The releases named above are affected on all platforms.
RESOLUTION
The issue has been resolved in the following releases:
- 6.5.3
Update your shop to the latest version as soon as possible.
Bug tracker entry: https://bugs.oxid-esales.com/view.php?id=7479
CREDITS
The issue was reported by our hosting partner dotfly. immediately after it became known.
SECURITY BULLETIN 2023-001
February 28, 2023
CVE Identifier: CVE-2023-26260
CVSS Score: 6.7
SYNOPSIS
The affected versions allow session hijacking in certain conditions.
STATE
The issue is resolved, a patch release is available as of February 21, 2023.
IMPACT
An attacker can get partial access to another customer’s account.
AFFECTED PRODUCTS, RELEASES, AND PLATFORMS
Products
OXID eShop Enterprise Edition
OXID eShop Professional Edition
OXID eShop Community Edition
Releases
6.2
6.3
6.4
6.5.0 – 6.5.1
Platforms
The releases named above are affected on all platforms.
RESOLUTION
The issue has been resolved in the following releases:
6.2, 6.3, 6.4 per module
6.5.2 per patch release
Upgrade your shop to the latest version as soon as possible.
Bug tracker entry: https://bugs.oxid-esales.com/view.php?id=7415
CREDITS
The issue was reported by our hosting partner Qwertiko immediately after it became known.
Phar object injection in PHPMailer – CVE-2018-19296
May 27, 2021
We have been receiving messages that we would deliver a vulnerable version of PHPMailer with OXID eShop versions 6.2.4 and 6.3.0 (and earlier) because of CVE-2018-19296.
Impact
After taking a deeper look at the actual impact, we can state that only method phpmailer::addAttachment() is affected in PHPMailer which is not used by OXID eShop (core installation) at all. However, it might be used in one of your extensions or modules. Please check that and inform/secure your clients accordingly!
Daniel Seifert at D³ Data Development gratefully found out that addAttachment() might still be triggered by Email::sendBackupuMail() which seems not to be in use anymore.
We will deprecate this method as soon as possible.
Workaround
As a non-official workaround, we can offer this composer command in order to install the latest and fixed PHPMailer version:
composer info | grep phpmailer/phpmailer | awk ‘{print "composer require phpmailer/phpmailer:\"v6.4.1 as "$2"\""}’ | sh
Security Advisory: Preventing Dependency Confusion in PHP with Composer
March 10, 2021
Recently, Nils Adermann from Packagist team published the article Preventing Dependency Confusion in PHP with Composer in their blog.
Impact
First off: OXID eShop itself, with the standard installation, is apparently not affected by this vulnerability.
Rather, this is a (strong) security advisory to all of three module vendors who still use the archaic way of distributing their modules as zip archives or do not use the packagist system at all.
As you all might know, at least since OXID eShop v6.2.x, it is mandatory to install modules via composer.
However, there are two different options possible, either automatic or manual installation as described here: docs.oxid-esales.com/developer/en/6.2/development/modules_components_themes/module/installation_setup/installation.html.
Even if a manual installation is necessary (depending on the vendor), composer will look up Packagist if there is a newer version of the module available and might use this one.
Resolution
There is just a little thing to do for you as a module vendor (completely independent from OXID):
Get yourself a Packagist account and save your vendorID before anybody else can do that in your name.
Additionally, register your first module with Packagist, which could only contain the required composer.json file and else be empty. We strongly urge you to do that today, as you are responsible for the safety of your clients and their customers.
Thanks to Daniel at D³ Data Development for letting us know about the gravity of this security risk!
Security Bulletin 2019-002
November 5, 2019
CVE Identifier: CVE-2019-17062
CVSS Score: 6.7
Synopsis
With a specially crafted URL, users with administrative rights could unintentionally grant unauthorized users access to the admin panel.
State
Until now, no 0-day exploit is known.
Issue is resolved, patch releases is available as of October 29th.
Workaround is available.
Impact
An attacker could trick a user with administrative rights to click on a malformed URL in order to gain access to the administration panel of OXID eShop.
Affected products, releases, and platforms
Products
OXID eShop Enterprise Edition (“EE”)
OXID eShop Professional Edition (“PE”)
OXID eShop Community Edition (“CE”)
Releases
OXID eShop EE, PE and CE v6.0.0 – v6.0.5
OXID eShop EE, PE and CE v6.1.0 – v6.1.4
OXID eShop EE v5.3.x and 5.2.x
OXID eShop PE and CE v4.10.x and 4.9.x
Platforms
The releases named above are affected on all platforms.
Resolution
The issue has been resolved in the following releases:
OXID eShop Enterprise, Professional & Community Edition v6.1.5
OXID eShop Enterprise, Professional & Community Edition v6.0.6
OXID eShop Enterprise Edition v5.3 and v5.2 (only workaround/hotfix available)
OXID eShop Professional & Community Edition v4.10 and 4.9 (only workaround/hotfix available)
Please note that previous versions might be affected as well.
However, it was not assessed, nor will there be a workaround/fix for them.
Bug tracker entry (will remain in private state until November 5th): https://bugs.oxid-esales.com/view.php?id=7023
Workaround
Download the file from the list according to your OXID eShop version/edition and replace the existing file in your installation:
/source/Application/Controller/Admin/LoginController.php (OXID eShop version >= v6)
Hotfix for OXID eShop Enterprise, Professional & Community Edition v6.1.x (V2)
Hotfix for OXID eShop Enterprise, Professional & Community Edition v6.0.x (V2)
/application/controllers/admin/login.php (OXID eShop version < v6)
Hotfix for OXID eShop Enterprise Edition v5.3.x
Hotfix for OXID eShop Enterprise Edition v5.2.x
Hotfix for OXID eShop Professional Edition v4.10.x
Hotfix for OXID eShop Professional Edition v4.9.x
Hotfix for OXID eShop Community Edition v4.10.x
Hotfix for OXID eShop Community Edition v4.9.x
Use this hotfix in OXID eShop >= v6.x as a temporary solution only.
Upgrade your shop to the latest version as soon as possible. The update will overwrite the hotfix.
Credits
This security issue was found by an IT consultant at ALDI SÜD. Thanks a lot for reporting!
Hotfixes for OXID eShop v4.9, v4.10, v5.2 and v5.3 (Security Issue 2019-002)
October 29, 2019
Today, we published patch releases OXID eShop 6.0.6 and OXID eShop 6.1.5 fixing security issue 2019-002.
Also, former OXID eShop versions are affected by this leak that are not officially supported any more for actually a long time.
However, we decided to provide hot fixes as replacement files for series 4.9 and 4.10 (Community and Professional Edition) as well as series 5.2 and 5.3 (Enterprise Edition).
Please note that even more previous versions might be affected as well.
However, we did not assess, nor will there be a workaround/fix for them. If you run such an old version, we certainly want to urge you to update.
For more details, see the Security Bulletin 2019-002. It is being prepared and will be published on November 5th to give you some time for fixing your installations.
Security Bulletin 2019-001
July 30, 2019
CVE Identifier: CVE-2019-13026
CVSS Score: 7.5
Synopsis
With a specially crafted URL, an attacker would be able to gain full access to the administration panel.
State
Until now, no 0-day exploit is known.
The issue is resolved, a patch is releases available on July 30th.
A workaround is available.
Impact
An attacker can gain full access to an OXID eShop installation. This includes all shopping cart options, customer data and the database. No interaction between the attacker and the victim is necessary.
Affected products, releases, and platforms
Products
OXID eShop Enterprise Edition (“EE”)
OXID eShop Professional Edition (“PE”)
OXID eShop Community Edition (“CE”)
Releases
OXID eShop EE, PE and CE v6.0.0 – v6.0.4
OXID eShop EE, PE and CE v6.1.0 – v6.1.3
Platforms
The releases named above are affected on all platforms.
Resolution
The issue has been resolved in the following releases:
OXID eShop Enterprise Edition v6.1.4
OXID eShop Professional Edition v6.1.4
OXID eShop Community Edition v6.1.4
OXID eShop Enterprise Edition v6.0.5
OXID eShop Professional Edition v6.0.5
OXID eShop Community Edition v6.0.5
Bug tracker entry (will remain in private state until July 30th): https://bugs.oxid-esales.com/view.php?id=7002
Workarounds
Please note that a fix for end-of-life versions will not be provided as they are not affected.
If you run one of the affected versions, please update your OXID eShop to v6.0.5 or 6.1.4 immediately.
However, in case you can’t update quickly, you are safe if you apply the workaround described here:
Add the following mod_rewrite rules right after RewriteBase / in source/.htaccess, line 4:
RewriteCond %{QUERY_STRING} \bsorting=[^\&\=]*[^a-z]+[^\&\=]*(\&|$) [NC] RewriteRule .* - [F]
Use this blocking as a temporary solution only. Upgrade your shop to a supported version as soon as possible.
Credits
This security issue was found by security researchers at ripstech.com.
Also, many thanks to SysEleven ’s security team for their helping hands.
Security Bulletin 2018-003
August 14, 2018
CVE Identifier: CVE-2018-14020
CVSS Score: 4.9
Synopsis
An attacker is able to change the delivery address by bypassing the checkout process when using Paymorrow payment method.
State
This security issue was reported to us while working on an incident at a client system.
The issue is resolved, patch releases are available.
Sorry, no workaround possible.
Impact
By bypassing the checkout process, an attacker can overcome the actual delivery address validation if the payment module doesn’t use OXID eShop’s checkout procedure properly.
In this case it happened to the Paymorrow module which is regularly delivered with OXID eShop compilation.
Affected products, releases, and platforms
Products
OXID eShop Enterprise Edition (“EE”)
OXID eShop Professional Edition (“PE”)
OXID eShop Community Edition (“CE”)
Releases
OXID eShop EE v5.2.3 – v5.3.7
OXID eShop PE and CE v4.9.3 – v4.10.7
OXID eShop EE, PE and CE v6.0.0 – v6.0.2
Platforms
The releases named above are affected on all platforms.
Resolution
The issue has already been resolved in the following releases:
OXID eShop Enterprise Edition v6.1.0
OXID eShop Professional Edition v6.1.0
OXID eShop Community Edition v6.1.0
OXID eShop Enterprise Edition v6.0.3
OXID eShop Professional Edition v6.0.3
OXID eShop Community Edition v6.0.3
OXID eShop Enterprise Edition v5.3.8
OXID eShop Professional Edition v4.10.8
OXID eShop Community Edition v4.10.8
Bug tracker entry (will remain in private state until this security bulletin is published): https://bugs.oxid-esales.com/view.php?id=6801
Workarounds
Unfortunately, a workaround cannot be provided.
Credits
Many thanks to our Development Partner digidesk – media solutions who found this security issue and immediately reported it.
Security Bulletin 2018-002
August 14, 2018
CVE Identifier: CVE-2018-12579
CVSS Score 6.5
Synopsis
An attacker would be able to take over access of a user account by entering an e-mail address similar to an already existing e-mail address in the database when using the password reset function.
State
Until now, no 0-day exploit is known.
The issue is resolved, patch releases as well as a workaround are available.
Impact
By entering a specially crafted e-mail address, an attacker is able to receive a message with the link to change the password to his own inbox and this way might take over access of a user account. This is only possible if an attacker correctly guesses or knows the e-mail address of any shop user and has registered a similar domain name like the one of the user e-mail. Additionally, it is not possible to reproduce in browsers that use punycode.
Affected products, releases, and platforms
Products
OXID eShop Enterprise Edition (“EE”)
OXID eShop Professional Edition (“PE”)
OXID eShop Community Edition (“CE”)
Releases
All OXID eShop versions (EE) up to 5.3.7
All OXID eShop versions (PE and CE) up to 4.10.7
All OXID eShop 6 versions up to 6.0.2
Platforms
The releases named are affected on all platforms.
Resolution
The issue has already been resolved in the following releases:
OXID eShop Enterprise Edition v6.1.0
OXID eShop Professional Edition v6.1.0
OXID eShop Community Edition v6.1.0
OXID eShop Enterprise Edition v6.0.3
OXID eShop Professional Edition v6.0.3
OXID eShop Community Edition v6.0.3
OXID eShop Enterprise Edition v5.3.8
OXID eShop Professional Edition v4.10.8
OXID eShop Community Edition v4.10.8
Bug tracker entry (will remain in private state until the security bulletin is published): https://bugs.oxid-esales.com/view.php?id=6818
Workarounds
OXID eShop 5.3 (EE) & 4.10 (CE, PE)
Find the method sendForgotPwdEmail() around line 719 in core/oxemail.php.
Replace all the content of the method with this code:
$result = false; $oShop = $this->_addForgotPwdEmail($this->_getShop()); $sOxId = $this->_getUserIdByUserName($sEmailAddress, $oShop->getId()); $oUser = oxNew(‘oxuser’); if ($sOxId && $oUser->load($sOxId)) { // create messages $oSmarty = $this->_getSmarty(); $this->setUser($oUser); $this->_processViewArray(); $this->_setMailParams($oShop); $this->setBody($oSmarty->fetch($this->_sForgotPwdTemplate)); $this->setAltBody($oSmarty->fetch($this->_sForgotPwdTemplatePlain)); $this->setSubject(($sSubject !== null) ? $sSubject : $oShop->oxshops__oxforgotpwdsubject->getRawValue()); $sFullName = $oUser->oxuser__oxfname->getRawValue() . " " . $oUser->oxuser__oxlname->getRawValue(); $sRecipientAddress = $oUser->oxuser__oxusername->getRawValue(); $this->setRecipient($sRecipientAddress, $sFullName); $this->setReplyTo($oShop->oxshops__oxorderemail->value, $oShop->oxshops__oxname->getRawValue()); if (!$this->send()) { $result = -1; // failed to send } else { $result = true; // success } } return $result;
Add a new private method _getUserIdByUserName() at the end of the oxemail.php file:
/** * @param string $sUserName * @param int $ShopId * * @return false|string */ private function _getUserIdByUserName($sUserName, $ShopId) { $sSelect = "SELECT `OXID` FROM `oxuser` WHERE `OXACTIVE` = 1 AND `OXUSERNAME` = ? AND `OXPASSWORD` != '’"; if ($this->getConfig()->getConfigParam(‘blMallUsers’)) { $sSelect .= "ORDER BY OXSHOPID = ? DESC"; } else { $sSelect .= "AND OXSHOPID = ?"; } $sOxId = oxDb::getDb()->getOne( $sSelect, array( $sUserName, $ShopId) ); return $sOxId; }
OXID eShop 6.0.x (CE, PE, EE)
Go to the Core/Email.php file and move use oxSystemComponentException; below use Exception; around line 9.
Find the sendForgotPwdEmail() method around line 730.
Replace all the content of the method with the following code:
$result = false; $shop = $this->_addForgotPwdEmail($this->_getShop()); $oxid = $this->getUserIdByUserName($emailAddress, $shop->getId()); $user = oxNew(\OxidEsales\Eshop\Application\Model\User::class); if ($oxid && $user->load($oxid)) { // create messages $smarty = $this->_getSmarty(); $this->setUser($user); $this->_processViewArray(); $this->_setMailParams($shop); $this->setBody($smarty->fetch($this->_sForgotPwdTemplate)); $this->setAltBody($smarty->fetch($this->_sForgotPwdTemplatePlain)); $this->setSubject(($subject !== null) ? $subject : $shop->oxshops__oxforgotpwdsubject->getRawValue()); $fullName = $user->oxuser__oxfname->getRawValue() . " " . $user->oxuser__oxlname->getRawValue(); $recipientAddress = $user->oxuser__oxusername->getRawValue(); $this->setRecipient($recipientAddress, $fullName); $this->setReplyTo($shop->oxshops__oxorderemail->value, $shop->oxshops__oxname->getRawValue()); if (!$this->send()) { $result = -1; // failed to send } else { $result = true; // success } } return $result;
Add a new private method getUserIdByUserName() at the end of the Email.php file.
/** * @param string $userName * @param int $shopId * * @return false|string */ private function getUserIdByUserName($userName, $shopId) { $select = "SELECT `OXID` FROM `oxuser` WHERE `OXACTIVE` = 1 AND `OXUSERNAME` = ? AND `OXPASSWORD` != '’"; if ($this->getConfig()->getConfigParam(‘blMallUsers’)) { $select .= "ORDER BY OXSHOPID = ? DESC"; } else { $select .= "AND OXSHOPID = ?"; } $sOxId = \OxidEsales\Eshop\Core\DatabaseProvider::getDb()->getOne( $select, [$userName, $shopId] ); return $sOxId; }
Credits
Many thanks to Hongkun Zeng from Zhejiang University & VULNSPY.com for this report.
Security Bulletin 2018-001
February 12, 2018
CVE Identifier: CVE-2018-5763
CVSS Score: 4.9
Synopsis
An attacker is able to bring servers to standstill by calling specially crafted URLs if OXID High Performance Option is activated, and Varnish is used (denial of service/DoS).
State
Until now, no 0-day exploit is known.
The issue is resolved, patch releases as well as workarounds are available.
Impact
By entering specially crafted URLs, an attacker is able to bring the shop server to a standstill and hence, it stops working.
This is only valid if OXID High Performance Option is activated and Varnish is used.
Affected products, releases, and platforms
Product
- OXID eShop Enterprise Edition (“EE”)
Releases
All OXID eShop versions up to 5.3.x
All OXID eShop 6 (version 6.0.0)
Platforms
The releases named above are affected on all platforms.
Resolution
The issue has been resolved in the following releases:
OXID eShop Enterprise Edition v6.0.1
OXID eShop Enterprise Edition v5.3.7
Bug tracker entry (will remain in “private” state): https://bugs.oxid-esales.com/view.php?id=6678
Workarounds
Apply the following fix to Varnish default.vcl state – vcl_recv:
if (req.esi_level > 1 && req.url !~ “&cl=oxwarticlebox”) { return (synth(405, “Not allowed.”)); }
This prevents from displaying any widget in widget except of oxwarticlebox which OXID uses in oxwarticledetails widget.
However, make sure your shop doesn’t use other widgets in a widget (that no widget returns ESI include).
Credits
Many thanks to Timo Terhaar at Laudert who found this security issue and immediately reported it.
Related news
Ubuntu Security Notice 5956-1 - Dawid Golunski discovered that PHPMailer was not properly escaping user input data used as arguments to functions executed by the system shell. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 ESM. It was discovered that PHPMailer was not properly escaping characters in certain fields of the code_generator.php example code. An attacker could possibly use this issue to conduct cross-site scripting attacks. This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04 ESM.
Ubuntu Security Notice 5956-2 - USN-5956-1 fixed vulnerabilities in PHPMailer. It was discovered that the fix for CVE-2017-11503 was incomplete. This update fixes the problem. Dawid Golunski discovered that PHPMailer was not properly escaping user input data used as arguments to functions executed by the system shell. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 ESM.