OXID eSales AG Security Bulletin 2009-001
As part of our regular security audit, the following issue has been identified: 1. Synopsis
Specially crafted parameter can lead to unauthorized administrative access to shop backend.
2. State
Resolved in upcoming OXID eShop release (see below for details).
Hotfix for current and older releases is available.
3. Impact
By adding a specially crafted parameter to the URL of the shop backend, unauthorized users may gain administrative privileges. No exploits are known as of today.
4. Affected products, releases and platforms
Products:
OXID eShop Professional Edition
OXID eShop Enterprise Edition
OXID eShop Community Edition
Releases:
4.0.0.0_13895, 4.0.0.0_13934, 4.0.0.0_14260, 4.0.0.1_14455, 4.0.0.2_14842, 4.0.0.2_14967, 4.0.1.0_15990
Platforms:
Above releases are affected on all platforms.
5. Resolution
The issue will be addressed in the following future releases:
OXID eShop Professional Edition version 4.1.0
OXID eShop Enterprise Edition version 4.1.0
OXID eShop Community Edition version 4.1.0
For the currently affected releases, a hotfix is available at http://support.oxid-esales.com/versions/
All users of OXID eShop should install the hotfix immediately.
6. Workaround
There is no workaround. See “Resolution“ above.
7. Credits
The security issue has been found during one of our regular
security audits.