Experts at RIPS Technologies discovered several flaws in the OXID eShop platform that could be exploited by unauthenticated attackers to compromise eCommerce websites.
OXID eShop is a popular e-commerce software platform used by important brands like Mercedes and Edeka.
Experts discovered two critical security issues that affect recent versions of Enterprise, Professional, and Community Editions of OXID eShop software.
The vulnerabilities could be exploited by an attacker without any user interaction.
The first issue, tracked as CVE-2019-13026, is an SQL injection vulnerability that could be exploited by an unauthenticated attacker to create a new administrator account.
“The eShop software is prone to a SQL Injection which is fully exploitable from an unauthenticated remote session. The exploit requires no specific shop configuration.” reads the report published by RIPS Technologies.
“This means an attacker can pivot via the session variable to inject straight into ORDER
BY
statement of the SQL query. Since the underlying database driver is per default set to PDO, an attacker can make use of stacked queries to insert a brand new admin user with a password of his choice. He can then log into the backend and continue the exploitation process which is described in the following section.”
The researchers published a video Proof-of-Concept that shows the attack
The second flaw in the OXID eShop is a PHP Object injection vulnerability that affects the administration panel of the platform. The vulnerability is caused by the lack of sanitization for user-supplied that being passed to the unserialize() PHP function.
The flaw can be exploited by a remote attacker to execute arbitrary code on the server. Experts pointed out that the exploitation of this flaw requires administrative access to the system that can be obtained triggering the first SQL Injection vulnerability.
“As soon as the adversary has access to the backend, he can escalate his access into a Remote Code Execution by exploiting a PHP Object Injection vulnerability in the import section.” continues the post. “The administrator has the possibility to import articles by uploading a CSV file which is loaded into the $data
array of the following code snippet.”
The expert successfully chained the two issues in a Python2.7 exploit that can be exploited to compromise OXID eShops by just knowing their URL.
The experts published a video that shows the PoC code in action.
Chaining the two flaw, attackers can remotely execute malicious code on the underlying server and take full control over the installation of the eCommerce platform. This means, for example, that attackers can install software skimmer to steal payment card data from visitors.
Below the timeline for the flaws:
Date | Event |
---|---|
11/Dec/2017 | Reported a SQL Injection in OXID 4.10.6 |
18/June/2019 | First contact with vendor |
19/June/2019 | Agreed on communication encryption |
21/June/2019 | Sent vulnerability details |
27/June/2019 | Vendor informs about releasing fix on 30th July |
30/July/2019 | Vendor fixed issue |
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Marriott, GDPR)
[adrotate banner=”5″]
[adrotate banner=”13″]
The FBI, UK National Crime Agency, and Europol revealed the identity of the admin of…
MITRE published more details on the recent security breach, including a timeline of the attack…
Alexander Vinnik, a Russian operator of virtual currency exchange BTC-e pleaded guilty to participating in…
The City of Wichita in Kansas was forced to shut down its computer systems after…
Resecurity found a massive leak involving the exposure of personally identifiable information (PII) of over…
Finland's Transport and Communications Agency (Traficom) warned about an ongoing Android malware campaign targeting bank…
This website uses cookies.