Security-Bulletins

Unsere Security-Bulletins sind nur auf Englisch verfügbar.

Phar object injection in PHPMailer – CVE-2018-19296

May 27, 2021

We have been receiving messages that we would deliver a vulnerable version of PHPMailer with OXID eShop versions 6.2.4 and 6.3.0 (and earlier) because of CVE-2018-19296.

Impact

After taking a deeper look at the actual impact, we can state that only method phpmailer::addAttachment() is affected in PHPMailer which is not used by OXID eShop (core installation) at all. However, it might be used in one of your extensions or modules. Please check that and inform/secure your clients accordingly!

Daniel Seifert at D³ Data Development gratefully found out that addAttachment() might still be triggered by Email::sendBackupuMail() which seems not to be in use anymore.

We will deprecate this method as soon as possible.

Workaround

As a non-official workaround, we can offer this composer command in order to install the latest and fixed PHPMailer version:

composer info | grep phpmailer/phpmailer | awk '{print "composer require phpmailer/phpmailer:\"v6.4.1 as "$2"\""}' | sh

Security Advisory: Preventing Dependency Confusion in PHP with Composer

March 10, 2021

Recently, Nils Adermann from Packagist team published the article Preventing Dependency Confusion in PHP with Composer in their blog.

Impact

First off: OXID eShop itself, with the standard installation, is apparently not affected by this vulnerability.

Rather, this is a (strong) security advisory to all of three module vendors who still use the archaic way of distributing their modules as zip archives or do not use the packagist system at all.

As you all might know, at least since OXID eShop v6.2.x, it is mandatory to install modules via composer.

However, there are two different options possible, either automatic or manual installation as described here: docs.oxid-esales.com/developer/en/6.2/development/modules_components_themes/module/installation_setup/installation.html.

Even if a manual installation is necessary (depending on the vendor), composer will look up Packagist if there is a newer version of the module available and might use this one.

Resolution

There is just a little thing to do for you as a module vendor (completely independent from OXID):

  • Get yourself a Packagist account and save your vendorID before anybody else can do that in your name.
  • Additionally, register your first module with Packagist, which could only contain the required composer.json file and else be empty. We strongly urge you to do that today, as you are responsible for the safety of your clients and their customers.

Thanks to Daniel at D³ Data Development for letting us know about the gravity of this security risk!

Security Bulletin 2019-002

November 5, 2019

CVE Identifier: CVE-2019-17062

CVSS Score: 6.7

Synopsis

With a specially crafted URL, users with administrative rights could unintentionally grant unauthorized users access to the admin panel.

State

  • Until now, no 0-day exploit is known.
  • Issue is resolved, patch releases is available as of October 29th.
  • Workaround is available.

Impact

An attacker could trick a user with administrative rights to click on a malformed URL in order to gain access to the administration panel of OXID eShop.

Affected products, releases, and platforms

Products

  • OXID eShop Enterprise Edition (“EE”)
  • OXID eShop Professional Edition (“PE”)
  • OXID eShop Community Edition (“CE”)

Releases

  • OXID eShop EE, PE and CE v6.0.0 – v6.0.5
  • OXID eShop EE, PE and CE v6.1.0 – v6.1.4
  • OXID eShop EE v5.3.x and 5.2.x
  • OXID eShop PE and CE v4.10.x and 4.9.x

Platforms

The releases named above are affected on all platforms.

Resolution

The issue has been resolved in the following releases:

  • OXID eShop Enterprise, Professional & Community Edition v6.1.5
  • OXID eShop Enterprise, Professional & Community Edition v6.0.6
  • OXID eShop Enterprise Edition v5.3 and v5.2 (only workaround/hotfix available)
  • OXID eShop Professional & Community Edition v4.10 and 4.9 (only workaround/hotfix available)

Please note that previous versions might be affected as well.

However, it was not assessed, nor will there be a workaround/fix for them.

Bug tracker entry (will remain in private state until November 5th): https://bugs.oxid-esales.com/view.php?id=7023

Workaround

Download the file from the list according to your OXID eShop version/edition and replace the existing file in your installation:

/source/Application/Controller/Admin/LoginController.php (OXID eShop version >= v6)

  • Hotfix for OXID eShop Enterprise, Professional & Community Edition v6.1.x (V2)
  • Hotfix for OXID eShop Enterprise, Professional & Community Edition v6.0.x (V2)

/application/controllers/admin/login.php (OXID eShop version < v6)

  • Hotfix for OXID eShop Enterprise Edition v5.3.x
  • Hotfix for OXID eShop Enterprise Edition v5.2.x
  • Hotfix for OXID eShop Professional Edition v4.10.x
  • Hotfix for OXID eShop Professional Edition v4.9.x
  • Hotfix for OXID eShop Community Edition v4.10.x
  • Hotfix for OXID eShop Community Edition v4.9.x

Use this hotfix in OXID eShop >= v6.x as a temporary solution only.

Upgrade your shop to the latest version as soon as possible. The update will overwrite the hotfix.

Credits

This security issue was found by an IT consultant at ALDI SÜD. Thanks a lot for reporting!

Hotfixes for OXID eShop v4.9, v4.10, v5.2 and v5.3 (Security Issue 2019-002)

October 29, 2019

Today, we published patch releases OXID eShop 6.0.6 and OXID eShop 6.1.5 fixing security issue 2019-002.

Also, former OXID eShop versions are affected by this leak that are not officially supported any more for actually a long time.

However, we decided to provide hot fixes as replacement files for series 4.9 and 4.10 (Community and Professional Edition) as well as series 5.2 and 5.3 (Enterprise Edition).

Please note that even more previous versions might be affected as well.

However, we did not assess, nor will there be a workaround/fix for them. If you run such an old version, we certainly want to urge you to update.

For more details, see the Security Bulletin 2019-002. It is being prepared and will be published on November 5th to give you some time for fixing your installations.

Security Bulletin 2019-001

July 30, 2019

This article is available in German as well.

CVE Identifier: CVE-2019-13026

CVSS Score: 7.5

Synopsis

With a specially crafted URL, an attacker would be able to gain full access to the administration panel.

State

  • Until now, no 0-day exploit is known.
  • The issue is resolved, a patch is releases available on July 30th.
  • A workaround is available.

Impact

An attacker can gain full access to an OXID eShop installation. This includes all shopping cart options, customer data and the database. No interaction between the attacker and the victim is necessary.

Affected products, releases, and platforms

Products

  • OXID eShop Enterprise Edition (“EE”)
  • OXID eShop Professional Edition (“PE”)
  • OXID eShop Community Edition (“CE”)

Releases

  • OXID eShop EE, PE and CE v6.0.0 – v6.0.4
  • OXID eShop EE, PE and CE v6.1.0 – v6.1.3

Platforms

The releases named above are affected on all platforms.

Resolution

The issue has been resolved in the following releases:

  • OXID eShop Enterprise Edition v6.1.4
  • OXID eShop Professional Edition v6.1.4
  • OXID eShop Community Edition v6.1.4
  • OXID eShop Enterprise Edition v6.0.5
  • OXID eShop Professional Edition v6.0.5
  • OXID eShop Community Edition v6.0.5

Bug tracker entry (will remain in private state until July 30th): https://bugs.oxid-esales.com/view.php?id=7002

Workarounds

Please note that a fix for end-of-life versions will not be provided as they are not affected.

If you run one of the affected versions, please update your OXID eShop to v6.0.5 or 6.1.4 immediately.

However, in case you can’t update quickly, you are safe if you apply the workaround described here:

Add the following mod_rewrite rules right after RewriteBase / in source/.htaccess, line 4:

RewriteCond %{QUERY_STRING} \bsorting=[^\&\=]*[^a-z]+[^\&\=]*(\&|$) [NC]
RewriteRule .* - [F]

Use this blocking as a temporary solution only. Upgrade your shop to a supported version as soon as possible.

Credits

This security issue was found by security researchers at ripstech.com.

Also, many thanks to SysEleven ’s security team for their helping hands.

Security Bulletin 2018-003

August 14, 2018

CVE Identifier: CVE-2018-14020

CVSS Score: 4.9

Synopsis

An attacker is able to change the delivery address by bypassing the checkout process when using Paymorrow payment method.

State

This security issue was reported to us while working on an incident at a client system.

  • The issue is resolved, patch releases are available.
  • Sorry, no workaround possible.

Impact

By bypassing the checkout process, an attacker can overcome the actual delivery address validation if the payment module doesn’t use OXID eShop’s checkout procedure properly.

In this case it happened to the Paymorrow module which is regularly delivered with OXID eShop compilation.

Affected products, releases, and platforms

Products

  • OXID eShop Enterprise Edition (“EE”)
  • OXID eShop Professional Edition (“PE”)
  • OXID eShop Community Edition (“CE”)

Releases

  • OXID eShop EE v5.2.3 – v5.3.7
  • OXID eShop PE and CE v4.9.3 – v4.10.7
  • OXID eShop EE, PE and CE v6.0.0 – v6.0.2

Platforms

The releases named above are affected on all platforms.

Resolution

The issue has already been resolved in the following releases:

  • OXID eShop Enterprise Edition v6.1.0
  • OXID eShop Professional Edition v6.1.0
  • OXID eShop Community Edition v6.1.0
  • OXID eShop Enterprise Edition v6.0.3
  • OXID eShop Professional Edition v6.0.3
  • OXID eShop Community Edition v6.0.3
  • OXID eShop Enterprise Edition v5.3.8
  • OXID eShop Professional Edition v4.10.8
  • OXID eShop Community Edition v4.10.8

Bug tracker entry (will remain in private state until this security bulletin is published): https://bugs.oxid-esales.com/view.php?id=6801

Workarounds

Unfortunately, a workaround cannot be provided.

Credits

Many thanks to our Development Partner digidesk – media solutions who found this security issue and immediately reported it.

Security Bulletin 2018-002

August 14, 2018

CVE Identifier: CVE-2018-12579

CVSS Score: 6.5

Synopsis

An attacker would be able to take over access of a user account by entering an e-mail address similar to an already existing e-mail address in the database when using the password reset function.

State

  • Until now, no 0-day exploit is known.
  • The issue is resolved, patch releases as well as a workaround are available.

Impact

By entering a specially crafted e-mail address, an attacker is able to receive a message with the link to change the password to his own inbox and this way might take over access of a user account. This is only possible if an attacker correctly guesses or knows the e-mail address of any shop user and has registered a similar domain name like the one of the user e-mail. Additionally, it is not possible to reproduce in browsers that use punycode.

Affected products, releases, and platforms

Products

  • OXID eShop Enterprise Edition (“EE”)
  • OXID eShop Professional Edition (“PE”)
  • OXID eShop Community Edition (“CE”)

Releases

  • All OXID eShop versions (EE) up to 5.3.7
  • All OXID eShop versions (PE and CE) up to 4.10.7
  • All OXID eShop 6 versions up to 6.0.2

Platforms

The releases named are affected on all platforms.

Resolution

The issue has already been resolved in the following releases:

  • OXID eShop Enterprise Edition v6.1.0
  • OXID eShop Professional Edition v6.1.0
  • OXID eShop Community Edition v6.1.0
  • OXID eShop Enterprise Edition v6.0.3
  • OXID eShop Professional Edition v6.0.3
  • OXID eShop Community Edition v6.0.3
  • OXID eShop Enterprise Edition v5.3.8
  • OXID eShop Professional Edition v4.10.8
  • OXID eShop Community Edition v4.10.8

Bug tracker entry (will remain in private state until the security bulletin is published): https://bugs.oxid-esales.com/view.php?id=6818

Workarounds

OXID eShop 5.3 (EE) & 4.10 (CE, PE)

  1. Find the method sendForgotPwdEmail() around line 719 in core/oxemail.php.

  2. Replace all the content of the method with this code:

    $result = false;
    $oShop = $this->_addForgotPwdEmail($this->_getShop());
    $sOxId = $this->_getUserIdByUserName($sEmailAddress, $oShop->getId());
    $oUser = oxNew('oxuser');
    if ($sOxId && $oUser->load($sOxId)) {
      // create messages
      $oSmarty = $this->_getSmarty();
      $this->setUser($oUser);
      $this->_processViewArray();
      $this->_setMailParams($oShop);
      $this->setBody($oSmarty->fetch($this->_sForgotPwdTemplate));
      $this->setAltBody($oSmarty->fetch($this->_sForgotPwdTemplatePlain));
      $this->setSubject(($sSubject !== null) ? $sSubject : $oShop->oxshops__oxforgotpwdsubject->getRawValue());
      $sFullName = $oUser->oxuser__oxfname->getRawValue() . " " . $oUser->oxuser__oxlname->getRawValue();
      $sRecipientAddress = $oUser->oxuser__oxusername->getRawValue();
      $this->setRecipient($sRecipientAddress, $sFullName);
      $this->setReplyTo($oShop->oxshops__oxorderemail->value, $oShop->oxshops__oxname->getRawValue());
      if (!$this->send()) {
          $result = -1; // failed to send
      } else {
           $result = true; // success
      }
    }
    return $result;
    
  3. Add a new private method _getUserIdByUserName() at the end of the oxemail.php file:

    /**
    * @param string $sUserName
    * @param int    $ShopId
    *
    * @return false|string
    */
    private function _getUserIdByUserName($sUserName, $ShopId)
    {
      $sSelect = "SELECT `OXID`
        FROM `oxuser`
        WHERE `OXACTIVE` = 1
        AND `OXUSERNAME` = ?
        AND `OXPASSWORD` != ''";
      if ($this->getConfig()->getConfigParam('blMallUsers')) {
          $sSelect .= "ORDER BY OXSHOPID = ? DESC";
      } else {
          $sSelect .= "AND OXSHOPID = ?";
      }
      $sOxId = oxDb::getDb()->getOne(
       $sSelect,
       array(
           $sUserName,
           $ShopId)
      );
      return $sOxId;
    }
    

OXID eShop 6.0.x (CE, PE, EE)

  1. Go to the Core/Email.php file and move use oxSystemComponentException; below use Exception; around line 9.

  2. Find the sendForgotPwdEmail() method around line 730.

  3. Replace all the content of the method with the following code:

    $result = false;
    $shop = $this->_addForgotPwdEmail($this->_getShop());
    $oxid = $this->getUserIdByUserName($emailAddress, $shop->getId());
    $user = oxNew(\OxidEsales\Eshop\Application\Model\User::class);
    if ($oxid && $user->load($oxid)) {
          // create messages
          $smarty = $this->_getSmarty();
          $this->setUser($user);
          $this->_processViewArray();
          $this->_setMailParams($shop);
          $this->setBody($smarty->fetch($this->_sForgotPwdTemplate));
          $this->setAltBody($smarty->fetch($this->_sForgotPwdTemplatePlain));
          $this->setSubject(($subject !== null) ? $subject : $shop->oxshops__oxforgotpwdsubject->getRawValue());
          $fullName = $user->oxuser__oxfname->getRawValue() . " " . $user->oxuser__oxlname->getRawValue();
          $recipientAddress = $user->oxuser__oxusername->getRawValue();
          $this->setRecipient($recipientAddress, $fullName);
          $this->setReplyTo($shop->oxshops__oxorderemail->value, $shop->oxshops__oxname->getRawValue());
          if (!$this->send()) {
              $result = -1; // failed to send
          } else {
              $result = true; // success
          }
    }
    return $result;
    
  4. Add a new private method getUserIdByUserName() at the end of the Email.php file.

     /**
     * @param string $userName
     * @param int    $shopId
     *
     * @return false|string
    */
    private function getUserIdByUserName($userName, $shopId)
    {
       $select = "SELECT `OXID`
         FROM `oxuser`
         WHERE `OXACTIVE` = 1
         AND `OXUSERNAME` = ?
         AND `OXPASSWORD` != ''";
       if ($this->getConfig()->getConfigParam('blMallUsers')) {
           $select .= "ORDER BY OXSHOPID = ? DESC";
       } else {
           $select .= "AND OXSHOPID = ?";
       }
       $sOxId = \OxidEsales\Eshop\Core\DatabaseProvider::getDb()->getOne(
           $select,
           [$userName,
            $shopId]
       );
       return $sOxId;
    }
    

Credits

Many thanks to Hongkun Zeng from Zhejiang University & VULNSPY.com for this report.

Security Bulletin 2018-001

February 12, 2018

CVE Identifier: CVE-2018-5763

CVSS Score: 4.9

Synopsis

An attacker is able to bring servers to standstill by calling specially crafted URLs if OXID High Performance Option is activated, and Varnish is used (denial of service/DoS).

State

  • Until now, no 0-day exploit is known.
  • The issue is resolved, patch releases as well as workarounds are available.

Impact

By entering specially crafted URLs, an attacker is able to bring the shop server to a standstill and hence, it stops working.

This is only valid if OXID High Performance Option is activated and Varnish is used.

Affected products, releases, and platforms

Product

  • OXID eShop Enterprise Edition (“EE”)

Releases

  • All OXID eShop versions up to 5.3.x
  • All OXID eShop 6 (version 6.0.0)

Platforms

The releases named above are affected on all platforms.

Resolution

The issue has been resolved in the following releases:

  • OXID eShop Enterprise Edition v6.0.1
  • OXID eShop Enterprise Edition v5.3.7

Bug tracker entry (will remain in “private” state): https://bugs.oxid-esales.com/view.php?id=6678

Workarounds

Apply the following fix to Varnish default.vcl state – vcl_recv:

if (req.esi_level > 1 && req.url !~ "&cl=oxwarticlebox") {
  return (synth(405, "Not allowed."));
}

This prevents from displaying any widget in widget except of oxwarticlebox which OXID uses in oxwarticledetails widget.

However, make sure your shop doesn’t use other widgets in a widget (that no widget returns ESI include).

Credits

Many thanks to Timo Terhaar at Laudert who found this security issue and immediately reported it.