Researchers at RIPS Technologies discovered vulnerabilities in the OXID eShop platform that could expose eCommerce websites to hack.

Experts at RIPS Technologies discovered several flaws in the OXID eShop platform that could be exploited by unauthenticated attackers to compromise eCommerce websites.

OXID eShop is a popular e-commerce software platform used by important brands like Mercedes and Edeka.

Experts discovered two critical security issues that affect recent versions of Enterprise, Professional, and Community Editions of OXID eShop software.

The vulnerabilities could be exploited by an attacker without any user interaction.

The first issue, tracked as CVE-2019-13026, is an SQL injection vulnerability that could be exploited by an unauthenticated attacker to create a new administrator account.

“The eShop software is prone to a SQL Injection which is fully exploitable from an unauthenticated remote session. The exploit requires no specific shop configuration.” reads the report published by RIPS Technologies.

“This means an attacker can pivot via the session variable to inject straight into ORDER BY statement of the SQL query. Since the underlying database driver is per default set to PDO, an attacker can make use of stacked queries to insert a brand new admin user with a password of his choice. He can then log into the backend and continue the exploitation process which is described in the following section.”

The researchers published a video Proof-of-Concept that shows the attack

The second flaw in the OXID eShop is a PHP Object injection vulnerability that affects the administration panel of the platform. The vulnerability is caused by the lack of sanitization for user-supplied that being passed to the unserialize ( ) PHP function.

The flaw can be exploited by a remote attacker to execute arbitrary code on the server. Experts pointed out that the exploitation of this flaw requires administrative access to the system that can be obtained triggering the first SQL Injection vulnerability.

“As soon as the adversary has access to the backend, he can escalate his access into a Remote Code Execution by exploiting a PHP Object Injection vulnerability in the import section.” continues the post. “The administrator has the possibility to import articles by uploading a CSV file which is loaded into the $data array of the following code snippet.”

The expert successfully chained the two issues in a Python2.7 exploit that can be exploited to compromise OXID eShops by just knowing their URL.

The experts published a video that shows the PoC code in action.

Chaining the two flaw, attackers can remotely execute malicious code on the underlying server and take full control over the installation of the eCommerce platform. This means, for example, that attackers can install software skimmer to steal payment card data from visitors.

Below the timeline for the flaws:

Date Event 11/Dec/2017 Reported a SQL Injection in OXID 4.10.6 18/June/2019 First contact with vendor 19/June/2019 Agreed on communication encryption 21/June/2019 Sent vulnerability details 27/June/2019 Vendor informs about releasing fix on 30th July 30/July/2019 Vendor fixed issue

Pierluigi Paganini

(SecurityAffairs – Marriott, GDPR)

Share this...

Linkedin Reddit Pinterest

Share On