Hacking eCommerce sites based on OXID eShop by chaining 2 flaws

Researchers at RIPS Technologies discovered vulnerabilities in the OXID eShop platform that could expose eCommerce websites to hack.

Experts at RIPS Technologies discovered several flaws in the OXID eShop platform that could be exploited by unauthenticated attackers to compromise eCommerce websites.

OXID eShop is a popular e-commerce software platform used by important brands like Mercedes and Edeka.

Experts discovered two critical security issues that affect recent versions of Enterprise, Professional, and Community Editions of OXID eShop software.

The vulnerabilities could be exploited by an attacker without any user interaction.

The first issue, tracked as CVE-2019-13026, is an SQL injection vulnerability that could be exploited by an unauthenticated attacker to create a new administrator account.

“The eShop software is prone to a SQL Injection which is fully exploitable from an unauthenticated remote session. The exploit requires no specific shop configuration.” reads the report published by RIPS Technologies.

“This means an attacker can pivot via the session variable to inject straight into ORDER BYstatement of the SQL query. Since the underlying database driver is per default set to PDO, an attacker can make use of stacked queries to insert a brand new admin user with a password of his choice. He can then log into the backend and continue the exploitation process which is described in the following section.”

The researchers published a video Proof-of-Concept that shows the attack

The second flaw in the OXID eShop is a PHP Object injection vulnerability that affects the administration panel of the platform. The vulnerability is caused by the lack of sanitization for user-supplied that being passed to the unserialize() PHP function.

The flaw can be exploited by a remote attacker to execute arbitrary code on the server. Experts pointed out that the exploitation of this flaw requires administrative access to the system that can be obtained triggering the first SQL Injection vulnerability.

“As soon as the adversary has access to the backend, he can escalate his access into a Remote Code Execution by exploiting a PHP Object Injection vulnerability in the import section.” continues the post. “The administrator has the possibility to import articles by uploading a CSV file which is loaded into the $data array of the following code snippet.”

The expert successfully chained the two issues in a Python2.7 exploit that can be exploited to compromise OXID eShops by just knowing their URL.

The experts published a video that shows the PoC code in action.

Chaining the two flaw, attackers can remotely execute malicious code on the underlying server and take full control over the installation of the eCommerce platform. This means, for example, that attackers can install software skimmer to steal payment card data from visitors.

Below the timeline for the flaws:

Date	Event
11/Dec/2017	Reported a SQL Injection in OXID 4.10.6
18/June/2019	First contact with vendor
19/June/2019	Agreed on communication encryption
21/June/2019	Sent vulnerability details
27/June/2019	Vendor informs about releasing fix on 30th July
30/July/2019	Vendor fixed issue

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Marriott, GDPR)

[adrotate banner=”5″]

[adrotate banner=”13″]