Experts at RIPS Technologies discovered several flaws in the OXID eShop platform that could be exploited by
Experts discovered two critical security issues that affect recent versions of Enterprise, Professional, and Community Editions of OXID eShop software.
The vulnerabilities could be exploited by an attacker without any user interaction.
The first issue, tracked as CVE-2019-13026, is an SQL injection vulnerability that could be exploited by an unauthenticated attacker to create a new administrator account.
“This means an attacker can pivot via the session variable to inject straight into
The researchers published a video Proof-of-Concept that shows the attack
The second flaw in the OXID eShop is a PHP Object injection vulnerability that affects the administration panel of the platform. The vulnerability is caused by the lack of
The flaw can be exploited by a remote attacker to execute arbitrary code on the server. Experts pointed out that the exploitation of this flaw
“As soon as the adversary has access to the backend, he can escalate his access into a Remote Code Execution by exploiting a PHP Object Injection vulnerability in the import section.” continues the post. “The administrator has the possibility to import articles by uploading a CSV file which is loaded into the
$data array of the following code snippet.”
The expert successfully chained the two issues in a Python2.7 exploit that can be exploited to compromise OXID eShops by just knowing their URL.
The experts published a video that shows the PoC code in action.
Chaining the two flaw, attackers can remotely execute malicious code on the underlying server and take full control over the installation of the eCommerce platform. This means, for example, that attackers can install software
Below the timeline
|11/Dec/2017||Reported a SQL Injection in OXID 4.10.6|
|18/June/2019||First contact with vendor|
|19/June/2019||Agreed on communication encryption|
|21/June/2019||Sent vulnerability details|
|27/June/2019||Vendor informs about releasing fix on 30th July|
|30/July/2019||Vendor fixed issue|
(SecurityAffairs – Marriott, GDPR)