Security-Bulletins

SECURITY BULLETIN 2024-001

February 27, 2024

CVE Identifier: CVE-2024-24821
CVSS Score: 6.0

SYNOPSIS

The package composer/composer with the version >=2.0,<2.2.23 || >=2.3,<2.7 loads arbitrary code from generated files, which allows code execution and possible privilege escalation.

STATE

The issue is resolved, a patch release is available as of February 27, 2024.

IMPACT

An attacker with access to the infrastructure can require compromised packages and use them for code execution and/or privilege escalation.

AFFECTED PRODUCTS, RELEASES, AND PLATFORMS

Products

OXID eShop Enterprise Edition
OXID eShop Professional Edition
OXID eShop Community Edition

Releases

6.2 - 7.0.1

Platforms

The releases named above are affected on all platforms.

RESOLUTION

The issue has been resolved in the following releases:

6.3.3
6.4.4
6.5.4
7.0.2

Update your shop to the latest version as soon as possible.

Bug tracker entry: https://bugs.oxid-esales.com/view.php?id=7600

SECURITY BULLETIN 2023-002

August 01, 2023 CVE Identifier: CVE-2023-38330
CVSS Score: 6.7

SYNOPSIS

The affected versions allow uploading files with modified headers in the administration area.

STATE

The issue is resolved, a patch release is available as of July 25, 2023.

IMPACT

An attacker can upload a file with modified header to create a HTTP Response Splitting attack.

AFFECTED PRODUCTS, RELEASES, AND PLATFORMS

Products

OXID eShop Enterprise Edition

Releases

6.5.0 – 6.5.2

Platforms

The releases named above are affected on all platforms.

RESOLUTION

The issue has been resolved in the following releases:

6.5.3

Update your shop to the latest version as soon as possible.

Bug tracker entry: https://bugs.oxid-esales.com/view.php?id=7479

CREDITS

The issue was reported by our hosting partner dotfly. immediately after it became known.

SECURITY BULLETIN 2023-001

February 28, 2023

CVE Identifier: CVE-2023-26260
CVSS Score: 6.7

SYNOPSIS

The affected versions allow session hijacking in certain conditions.

STATE

The issue is resolved, a patch release is available as of February 21, 2023.

IMPACT

An attacker can get partial access to another customer’s account.

AFFECTED PRODUCTS, RELEASES, AND PLATFORMS

Products

OXID eShop Enterprise Edition
OXID eShop Professional Edition
OXID eShop Community Edition

Releases

6.2
6.3
6.4
6.5.0 – 6.5.1

Platforms

The releases named above are affected on all platforms.

RESOLUTION

The issue has been resolved in the following releases:

6.2, 6.3, 6.4 per module
6.5.2 per patch release

Upgrade your shop to the latest version as soon as possible.

Bug tracker entry: https://bugs.oxid-esales.com/view.php?id=7415

CREDITS

The issue was reported by our hosting partner Qwertiko immediately after it became known.

Phar object injection in PHPMailer – CVE-2018-19296

May 27, 2021

We have been receiving messages that we would deliver a vulnerable version of PHPMailer with OXID eShop versions 6.2.4 and 6.3.0 (and earlier) because of CVE-2018-19296.

Impact

After taking a deeper look at the actual impact, we can state that only method phpmailer::addAttachment() is affected in PHPMailer which is not used by OXID eShop (core installation) at all. However, it might be used in one of your extensions or modules. Please check that and inform/secure your clients accordingly!

Daniel Seifert at D³ Data Development gratefully found out that addAttachment() might still be triggered by Email::sendBackupuMail() which seems not to be in use anymore.

We will deprecate this method as soon as possible.

Workaround

As a non-official workaround, we can offer this composer command in order to install the latest and fixed PHPMailer version:

composer info | grep phpmailer/phpmailer | awk '{print "composer require phpmailer/phpmailer:\"v6.4.1 as "$2"\""}' | sh

Security Advisory: Preventing Dependency Confusion in PHP with Composer

March 10, 2021

Recently, Nils Adermann from Packagist team published the article Preventing Dependency Confusion in PHP with Composer in their blog.

Impact

First off: OXID eShop itself, with the standard installation, is apparently not affected by this vulnerability.

Rather, this is a (strong) security advisory to all of three module vendors who still use the archaic way of distributing their modules as zip archives or do not use the packagist system at all.

As you all might know, at least since OXID eShop v6.2.x, it is mandatory to install modules via composer.

However, there are two different options possible, either automatic or manual installation as described here: docs.oxid-esales.com/developer/en/6.2/development/modules_components_themes/module/installation_setup/installation.html.

Even if a manual installation is necessary (depending on the vendor), composer will look up Packagist if there is a newer version of the module available and might use this one.

Resolution

There is just a little thing to do for you as a module vendor (completely independent from OXID):

Get yourself a Packagist account and save your vendorID before anybody else can do that in your name.
Additionally, register your first module with Packagist, which could only contain the required composer.json file and else be empty. We strongly urge you to do that today, as you are responsible for the safety of your clients and their customers.

Thanks to Daniel at D³ Data Development for letting us know about the gravity of this security risk!

Security Bulletin 2019-002

November 5, 2019

CVE Identifier: CVE-2019-17062

CVSS Score: 6.7

Synopsis

With a specially crafted URL, users with administrative rights could unintentionally grant unauthorized users access to the admin panel.

State

Until now, no 0-day exploit is known.
Issue is resolved, patch releases is available as of October 29th.
Workaround is available.

Impact

An attacker could trick a user with administrative rights to click on a malformed URL in order to gain access to the administration panel of OXID eShop.

Affected products, releases, and platforms

Products

OXID eShop Enterprise Edition (“EE”)
OXID eShop Professional Edition (“PE”)
OXID eShop Community Edition (“CE”)

Releases

OXID eShop EE, PE and CE v6.0.0 – v6.0.5
OXID eShop EE, PE and CE v6.1.0 – v6.1.4
OXID eShop EE v5.3.x and 5.2.x
OXID eShop PE and CE v4.10.x and 4.9.x

Platforms

The releases named above are affected on all platforms.

Resolution

The issue has been resolved in the following releases:

OXID eShop Enterprise, Professional & Community Edition v6.1.5
OXID eShop Enterprise, Professional & Community Edition v6.0.6
OXID eShop Enterprise Edition v5.3 and v5.2 (only workaround/hotfix available)
OXID eShop Professional & Community Edition v4.10 and 4.9 (only workaround/hotfix available)

Please note that previous versions might be affected as well.

However, it was not assessed, nor will there be a workaround/fix for them.

Bug tracker entry (will remain in private state until November 5th): https://bugs.oxid-esales.com/view.php?id=7023

Workaround

Download the file from the list according to your OXID eShop version/edition and replace the existing file in your installation:

/source/Application/Controller/Admin/LoginController.php (OXID eShop version >= v6)

Hotfix for OXID eShop Enterprise, Professional & Community Edition v6.1.x (V2)
Hotfix for OXID eShop Enterprise, Professional & Community Edition v6.0.x (V2)

/application/controllers/admin/login.php (OXID eShop version < v6)

Hotfix for OXID eShop Enterprise Edition v5.3.x
Hotfix for OXID eShop Enterprise Edition v5.2.x
Hotfix for OXID eShop Professional Edition v4.10.x
Hotfix for OXID eShop Professional Edition v4.9.x
Hotfix for OXID eShop Community Edition v4.10.x
Hotfix for OXID eShop Community Edition v4.9.x

Use this hotfix in OXID eShop >= v6.x as a temporary solution only.

Upgrade your shop to the latest version as soon as possible. The update will overwrite the hotfix.

Credits

This security issue was found by an IT consultant at ALDI SÜD. Thanks a lot for reporting!

Hotfixes for OXID eShop v4.9, v4.10, v5.2 and v5.3 (Security Issue 2019-002)

October 29, 2019

Today, we published patch releases OXID eShop 6.0.6 and OXID eShop 6.1.5 fixing security issue 2019-002.

Also, former OXID eShop versions are affected by this leak that are not officially supported any more for actually a long time.

However, we decided to provide hot fixes as replacement files for series 4.9 and 4.10 (Community and Professional Edition) as well as series 5.2 and 5.3 (Enterprise Edition).

Please note that even more previous versions might be affected as well.

However, we did not assess, nor will there be a workaround/fix for them. If you run such an old version, we certainly want to urge you to update.

For more details, see the Security Bulletin 2019-002. It is being prepared and will be published on November 5th to give you some time for fixing your installations.

Security Bulletin 2019-001

July 30, 2019

CVE Identifier: CVE-2019-13026

CVSS Score: 7.5

Synopsis

With a specially crafted URL, an attacker would be able to gain full access to the administration panel.

State

Until now, no 0-day exploit is known.
The issue is resolved, a patch is releases available on July 30th.
A workaround is available.

Impact

An attacker can gain full access to an OXID eShop installation. This includes all shopping cart options, customer data and the database. No interaction between the attacker and the victim is necessary.

Affected products, releases, and platforms

Products

OXID eShop Enterprise Edition (“EE”)
OXID eShop Professional Edition (“PE”)
OXID eShop Community Edition (“CE”)

Releases

OXID eShop EE, PE and CE v6.0.0 – v6.0.4
OXID eShop EE, PE and CE v6.1.0 – v6.1.3

Platforms

The releases named above are affected on all platforms.

Resolution

The issue has been resolved in the following releases:

OXID eShop Enterprise Edition v6.1.4
OXID eShop Professional Edition v6.1.4
OXID eShop Community Edition v6.1.4
OXID eShop Enterprise Edition v6.0.5
OXID eShop Professional Edition v6.0.5
OXID eShop Community Edition v6.0.5

Bug tracker entry (will remain in private state until July 30th): https://bugs.oxid-esales.com/view.php?id=7002

Workarounds

Please note that a fix for end-of-life versions will not be provided as they are not affected.

If you run one of the affected versions, please update your OXID eShop to v6.0.5 or 6.1.4 immediately.

However, in case you can’t update quickly, you are safe if you apply the workaround described here:

Add the following mod_rewrite rules right after RewriteBase / in source/.htaccess, line 4:

RewriteCond %{QUERY_STRING} \bsorting=[^\&\=]*[^a-z]+[^\&\=]*(\&|$) [NC]
RewriteRule .* - [F]

Use this blocking as a temporary solution only. Upgrade your shop to a supported version as soon as possible.

Credits

This security issue was found by security researchers at ripstech.com.

Also, many thanks to SysEleven ’s security team for their helping hands.

Security Bulletin 2018-003

August 14, 2018

CVE Identifier: CVE-2018-14020

CVSS Score: 4.9

Synopsis

An attacker is able to change the delivery address by bypassing the checkout process when using Paymorrow payment method.

State

This security issue was reported to us while working on an incident at a client system.

The issue is resolved, patch releases are available.
Sorry, no workaround possible.

Impact

By bypassing the checkout process, an attacker can overcome the actual delivery address validation if the payment module doesn’t use OXID eShop’s checkout procedure properly.

In this case it happened to the Paymorrow module which is regularly delivered with OXID eShop compilation.

Affected products, releases, and platforms

Products

OXID eShop Enterprise Edition (“EE”)
OXID eShop Professional Edition (“PE”)
OXID eShop Community Edition (“CE”)

Releases

OXID eShop EE v5.2.3 – v5.3.7
OXID eShop PE and CE v4.9.3 – v4.10.7
OXID eShop EE, PE and CE v6.0.0 – v6.0.2

Platforms

The releases named above are affected on all platforms.

Resolution

The issue has already been resolved in the following releases:

OXID eShop Enterprise Edition v6.1.0
OXID eShop Professional Edition v6.1.0
OXID eShop Community Edition v6.1.0
OXID eShop Enterprise Edition v6.0.3
OXID eShop Professional Edition v6.0.3
OXID eShop Community Edition v6.0.3
OXID eShop Enterprise Edition v5.3.8
OXID eShop Professional Edition v4.10.8
OXID eShop Community Edition v4.10.8

Bug tracker entry (will remain in private state until this security bulletin is published): https://bugs.oxid-esales.com/view.php?id=6801

Workarounds

Unfortunately, a workaround cannot be provided.

Credits

Many thanks to our Development Partner digidesk – media solutions who found this security issue and immediately reported it.

Security Bulletin 2018-002

August 14, 2018

CVE Identifier: CVE-2018-12579

CVSS Score 6.5

Synopsis

An attacker would be able to take over access of a user account by entering an e-mail address similar to an already existing e-mail address in the database when using the password reset function.

State

Until now, no 0-day exploit is known.
The issue is resolved, patch releases as well as a workaround are available.

Impact

By entering a specially crafted e-mail address, an attacker is able to receive a message with the link to change the password to his own inbox and this way might take over access of a user account. This is only possible if an attacker correctly guesses or knows the e-mail address of any shop user and has registered a similar domain name like the one of the user e-mail. Additionally, it is not possible to reproduce in browsers that use punycode.

Affected products, releases, and platforms

Products

OXID eShop Enterprise Edition (“EE”)
OXID eShop Professional Edition (“PE”)
OXID eShop Community Edition (“CE”)

Releases

All OXID eShop versions (EE) up to 5.3.7
All OXID eShop versions (PE and CE) up to 4.10.7
All OXID eShop 6 versions up to 6.0.2

Platforms

The releases named are affected on all platforms.

Resolution

The issue has already been resolved in the following releases:

OXID eShop Enterprise Edition v6.1.0
OXID eShop Professional Edition v6.1.0
OXID eShop Community Edition v6.1.0
OXID eShop Enterprise Edition v6.0.3
OXID eShop Professional Edition v6.0.3
OXID eShop Community Edition v6.0.3
OXID eShop Enterprise Edition v5.3.8
OXID eShop Professional Edition v4.10.8
OXID eShop Community Edition v4.10.8

Bug tracker entry (will remain in private state until the security bulletin is published): https://bugs.oxid-esales.com/view.php?id=6818

Workarounds

OXID eShop 5.3 (EE) & 4.10 (CE, PE)

Find the method sendForgotPwdEmail() around line 719 in core/oxemail.php.

Replace all the content of the method with this code:

$result = false;
$oShop = $this->_addForgotPwdEmail($this->_getShop());
$sOxId = $this->_getUserIdByUserName($sEmailAddress, $oShop->getId());
$oUser = oxNew('oxuser');
if ($sOxId && $oUser->load($sOxId)) {
  // create messages
  $oSmarty = $this->_getSmarty();
  $this->setUser($oUser);
  $this->_processViewArray();
  $this->_setMailParams($oShop);
  $this->setBody($oSmarty->fetch($this->_sForgotPwdTemplate));
  $this->setAltBody($oSmarty->fetch($this->_sForgotPwdTemplatePlain));
  $this->setSubject(($sSubject !== null) ? $sSubject : $oShop->oxshops__oxforgotpwdsubject->getRawValue());
  $sFullName = $oUser->oxuser__oxfname->getRawValue() . " " . $oUser->oxuser__oxlname->getRawValue();
  $sRecipientAddress = $oUser->oxuser__oxusername->getRawValue();
  $this->setRecipient($sRecipientAddress, $sFullName);
  $this->setReplyTo($oShop->oxshops__oxorderemail->value, $oShop->oxshops__oxname->getRawValue());
  if (!$this->send()) {
      $result = -1; // failed to send
  } else {
       $result = true; // success
  }
}
return $result;

Add a new private method _getUserIdByUserName() at the end of the oxemail.php file:

/**
* @param string $sUserName
* @param int    $ShopId
*
* @return false|string
*/
private function _getUserIdByUserName($sUserName, $ShopId)
{
  $sSelect = "SELECT `OXID`
    FROM `oxuser`
    WHERE `OXACTIVE` = 1
    AND `OXUSERNAME` = ?
    AND `OXPASSWORD` != ''";
  if ($this->getConfig()->getConfigParam('blMallUsers')) {
      $sSelect .= "ORDER BY OXSHOPID = ? DESC";
  } else {
      $sSelect .= "AND OXSHOPID = ?";
  }
  $sOxId = oxDb::getDb()->getOne(
   $sSelect,
   array(
       $sUserName,
       $ShopId)
  );
  return $sOxId;
}

OXID eShop 6.0.x (CE, PE, EE)

Go to the Core/Email.php file and move use oxSystemComponentException; below use Exception; around line 9.
Find the sendForgotPwdEmail() method around line 730.

Replace all the content of the method with the following code:

$result = false;
$shop = $this->_addForgotPwdEmail($this->_getShop());
$oxid = $this->getUserIdByUserName($emailAddress, $shop->getId());
$user = oxNew(\OxidEsales\Eshop\Application\Model\User::class);
if ($oxid && $user->load($oxid)) {
      // create messages
      $smarty = $this->_getSmarty();
      $this->setUser($user);
      $this->_processViewArray();
      $this->_setMailParams($shop);
      $this->setBody($smarty->fetch($this->_sForgotPwdTemplate));
      $this->setAltBody($smarty->fetch($this->_sForgotPwdTemplatePlain));
      $this->setSubject(($subject !== null) ? $subject : $shop->oxshops__oxforgotpwdsubject->getRawValue());
      $fullName = $user->oxuser__oxfname->getRawValue() . " " . $user->oxuser__oxlname->getRawValue();
      $recipientAddress = $user->oxuser__oxusername->getRawValue();
      $this->setRecipient($recipientAddress, $fullName);
      $this->setReplyTo($shop->oxshops__oxorderemail->value, $shop->oxshops__oxname->getRawValue());
      if (!$this->send()) {
          $result = -1; // failed to send
      } else {
          $result = true; // success
      }
}
return $result;

Add a new private method getUserIdByUserName() at the end of the Email.php file.

 /**
 * @param string $userName
 * @param int    $shopId
 *
 * @return false|string
*/
private function getUserIdByUserName($userName, $shopId)
{
   $select = "SELECT `OXID`
     FROM `oxuser`
     WHERE `OXACTIVE` = 1
     AND `OXUSERNAME` = ?
     AND `OXPASSWORD` != ''";
   if ($this->getConfig()->getConfigParam('blMallUsers')) {
       $select .= "ORDER BY OXSHOPID = ? DESC";
   } else {
       $select .= "AND OXSHOPID = ?";
   }
   $sOxId = \OxidEsales\Eshop\Core\DatabaseProvider::getDb()->getOne(
       $select,
       [$userName,
        $shopId]
   );
   return $sOxId;
}

Credits

Many thanks to Hongkun Zeng from Zhejiang University & VULNSPY.com for this report.

Security Bulletin 2018-001

February 12, 2018

CVE Identifier: CVE-2018-5763

CVSS Score: 4.9

Synopsis

An attacker is able to bring servers to standstill by calling specially crafted URLs if OXID High Performance Option is activated, and Varnish is used (denial of service/DoS).

State

Until now, no 0-day exploit is known.
The issue is resolved, patch releases as well as workarounds are available.

Impact

By entering specially crafted URLs, an attacker is able to bring the shop server to a standstill and hence, it stops working.

This is only valid if OXID High Performance Option is activated and Varnish is used.

Affected products, releases, and platforms

Product

OXID eShop Enterprise Edition (“EE”)

Releases

All OXID eShop versions up to 5.3.x
All OXID eShop 6 (version 6.0.0)

Platforms

The releases named above are affected on all platforms.

Resolution

The issue has been resolved in the following releases:

OXID eShop Enterprise Edition v6.0.1
OXID eShop Enterprise Edition v5.3.7

Bug tracker entry (will remain in “private” state): https://bugs.oxid-esales.com/view.php?id=6678

Workarounds

Apply the following fix to Varnish default.vcl state – vcl_recv:

if (req.esi_level > 1 && req.url !~ "&cl=oxwarticlebox") {
  return (synth(405, "Not allowed."));
}

This prevents from displaying any widget in widget except of oxwarticlebox which OXID uses in oxwarticledetails widget.

However, make sure your shop doesn’t use other widgets in a widget (that no widget returns ESI include).

Credits

Many thanks to Timo Terhaar at Laudert who found this security issue and immediately reported it.