From OXIDwiki

This bulletin has been assigned a CVE identifier of CVE-2009-3112
Released: February 18th, 2009

As part of our regular security audit, the following issue has been identified:

Contents 1 Synopsis 2 State 3 Impact 4 Affected products, releases and platforms 5 Resolution 6 Workaround 7 Credits 8 Stay up-to-date 9 How to report security issues

Synopsis

Specially crafted parameter can lead to unauthorized administrative access to shop backend.

State

Resolved in upcoming OXID eShop release (see below for details). Hotfix for current and older releases is available.

Impact

By adding a specially crafted parameter to the URL of the shop backend, unauthorized users may gain administrative privileges. No exploits are known as of today.

Affected products, releases and platforms

Products:

• OXID eShop Professional Edition
• OXID eShop Enterprise Edition
• OXID eShop Community Edition

Releases:

• 4.0.0.0_13895, 4.0.0.0_13934, 4.0.0.0_14260, 4.0.0.1_14455, 4.0.0.2_14842, 4.0.0.2_14967, 4.0.1.0_15990

Platforms:

• Above releases are affected on all platforms.

Resolution

The issue will be addressed in the following future releases:

• OXID eShop Professional Edition version 4.1.0
• OXID eShop Enterprise Edition version 4.1.0
• OXID eShop Community Edition version 4.1.0

For the currently affected releases, a hotfix is available at http://support.oxid-esales.com/versions/. All users of OXID eShop should install the hotfix immediately.

Workaround

There is no workaround. See "Resolution" above.

Credits

The security issue has been found during one of our regular security audits.

Stay up-to-date

To receive upcoming OXID Security Bulletins, please subscribe to the mailing lists or the Announcement forum

How to report security issues

Learn how to report security issues in the Security overview page.