platform, you need to update it immediately to prevent your
site from becoming compromised.
Cybersecurity researchers have discovered a pair of critical
vulnerabilities in OXID eShop e-commerce software that could allow
unauthenticated attackers to take full control over vulnerable
eCommerce websites remotely in less than a few seconds.
OXID eShop is one of the leading German e-commerce shop software
solutions whose enterprise edition is being used by industry
leaders including Mercedes, BitBurger, and Edeka.
Security researchers at RIPS Technologies GmbH shared their latest findings with
The Hacker News, detailing about two critical security
vulnerabilities that affect recent versions of Enterprise,
Professional, and Community Editions of OXID eShop software.
It should be noted that absolutely no interaction between the
attacker and the victim is necessary to execute both
vulnerabilities, and the flaws work against the default
configuration of e-commerce software.
OXID eShop: SQL Injection Flaw
The first vulnerability, assigned as CVE-2019-13026, is a SQL
injection vulnerability that allows an unauthenticated attacker to
simply create a new administrator account, with a password of his
own choice, on a website running any vulnerable version of OXID
eShop software.
“An unauthenticated SQL injection can be exploited when viewing the
details of a product. Since the underlying database makes use of
the PDO database driver, stacked queries can be used to INSERT data
into the database. In our exploit we abuse this to INSERT a new
admin user,” researchers told The Hacker News.
News, demonstrating this attack: Though the PDO database system has
been designed to prevent SQL injection attacks using prepared
statements, using dynamically build SQL commands could leave
stacked queries at higher risk of getting tainted.
OXID eShop: Remote Code Execution Flaw
The second vulnerability is a PHP Object injection issue, which
resides in the administration panel of the OXID eShop software and
occurs when user-supplied input is not properly sanitized before
being passed to the unserialize() PHP function.
This vulnerability can be exploited to gain remote code execution
on the server; however, it requires administrative access which can
be obtained using the first vulnerability.
“A second vulnerability can then be chained to gain remote code
execution on the server. We have a fully working Python2.7 exploit
which can compromise the OXID eShops directly which requires only
the URL as an argument,” researchers told The Hacker News.
Once successful, attackers can remotely execute malicious code on
the underlying server, or install their own malicious plugin to
steal users’ credit cards, PayPal account information and any
highly sensitive financial information that passes through the
eShop system—just like MageCart
attacks.
RIPS researchers responsibly reported their findings to OXID
eShops, and the company acknowledged the issue and addressed[3] it with the release of
OXID eShop v6.0.5 and 6.1.4 for all three Editions.
It appears that the company did not patch the second
vulnerability, but simply mitigated it by addressing the first
issue. However, in the future, if any admin takeover issue is
discovered, it will revive the RCE attacks.
References
- ^
latest findings
(blog.ripstech.com) - ^
MageCart attacks
(thehackernews.com) - ^
addressed
(oxidforge.org)
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/vmgcXHrwwEE/oxid-eshop-ecommerce.html