Critical Flaws in 'OXID eShop' Software Expose eCommerce Sites to Hacking

guest · Jul 30, 2019

Critical Flaws in 'OXID eShop' Software Expose eCommerce Sites to Hacking
July 30, 2019
https://thehackernews.com/2019/07/oxid-eshop-ecommerce.html

If your e-commerce website runs on the OXID eShop platform, you need to update it immediately to prevent your site from becoming compromised.

Security researchers at RIPS Technologies GmbH shared their latest findings with The Hacker News, detailing about two critical security vulnerabilities that affect recent versions of Enterprise, Professional, and Community Editions of OXID eShop software.
It should be noted that absolutely no interaction between the attacker and the victim is necessary to execute both vulnerabilities, and the flaws work against the default configuration of e-commerce software.
OXID eShop: SQL Injection Flaw
The first vulnerability, assigned as CVE-2019-13026, is a SQL injection vulnerability that allows an unauthenticated attacker to simply create a new administrator account, with a password of his own choice, on a website running any vulnerable version of OXID eShop software.
Click to expand...

OXID eShop: Remote Code Execution Flaw
The second vulnerability is a PHP Object injection issue, which resides in the administration panel of the OXID eShop software and occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function.

RIPS researchers responsibly reported their findings to OXID eShops, and the company acknowledged the issue and addressed it with the release of OXID eShop v6.0.5 and 6.1.4 for all three Editions.
It appears that the company did not patch the second vulnerability, but simply mitigated it by addressing the first issue. However, in the future, if any admin takeover issue is discovered, it will revive the RCE attacks.
Click to expand...

WARNING: Pre-Auth Takeover of OXID eShops
OXID: Security Bulletin 2019-001

Log in or Sign up

Critical Flaws in 'OXID eShop' Software Expose eCommerce Sites to Hacking

guest Guest

Log in or Sign up

Critical Flaws in 'OXID eShop' Software Expose eCommerce Sites to Hacking

guest Guest

Useful Searches