Security Bulletin 2009-004

stefanwerner · October 15, 2009, 8:48am

Hi everybody,

as part of a regular audit, a security issue has been identified: Specially crafted SQL statements can lead to unauthorized access to the database.

All OXID eShops of versions 2.7.x, 3.x and 4.x are affected, no exploits are known yet.

For version 4.x of the OXID eShop this security issue has been fixed with version 4.1.6, please find the appropriate patch here:

The Security Bulletin 2009-004 was published at
http://www.oxidforge.org/wiki/Security_bulletins/2009-004.

Clients of versions 2.7.0.3 and 3.0.4.1 with a support contract will shortly be sent a patch that fixes the security issue. Unfortunately, older versions can not be supported.

Regards

gggbb · October 21, 2009, 1:59pm

[QUOTE=Stefan Werner;16141]

Clients of versions 2.7.0.3 and 3.0.4.1 with a support contract will shortly be sent a patch that fixes the security issue. Unfortunately, older versions can not be supported.

[/QUOTE]

Is it possible to get the patch without a support contract? How much would that be?

Regards

marco.steinhaeuser · October 22, 2009, 11:18am

Hi gggbb,

no, unfortunately not.
You may want to turn to our sales department where a solution shall be found.

Regards