OXIDwiki

Security bulletins/2009-002

From OXIDwiki

Jump to: navigation, search
PAGE_TITLE: T1hJRCBlU2FsZXMgQUcgU2VjdXJpdHkgQnVsbGV0aW4gMjAwOS0wMDI=

This bulletin has been assigned a CVE identifier of CVE-2009-3113
Released: May 11th, 2009

Thanks to our partner Andreas Ziethen, the following issue has been identified:

Contents

Synopsis

Specially crafted parameter can lead to unauthorized write access to product reviews in the shop.

State

Resolved in the upcoming OXID eShop release. Fix for previous major releases will be available soon.

Impact

By adding a specially crafted parameter to the URL of the shop or to the generated e-mail link, unauthorized users may gain write access to product reviews.

No exploits are known as of today.

Affected products, releases and platforms

Products:

  • OXID eShop Professional Edition
  • OXID eShop Enterprise Edition
  • OXID eShop Community Edition

Releases:

  • Professional, Enterprise and Community Edition: 4.0.0.0_13895, 4.0.0.0_13934, 4.0.0.0_14260, 4.0.0.1_14455, 4.0.0.2_14842, 4.0.0.2_14967, 4.0.1.0_15990, 4.1.0-17976, 4.1.1-18442
  • Enterprise Edition: in addition to the above, all 2.x versions
  • Professional Edition: in addition to the above, all 3.x versions

Platforms:

  • Above releases are affected on all platforms.

Note: Older releases than the ones mentioned might as well be affected. They are considered end of life and will not be supported.

Resolution

The issue will be addressed in the following future releases:

  • OXID eShop Professional Edition version 4.1.2
  • OXID eShop Enterprise Edition version 4.1.2
  • OXID eShop Community Edition version 4.1.2

For the legacy release OXID eShop Professional Edition 3.0.4.1 and Enterprise Edition 2.7.0.3, a separate fix will be made available within two weeks following the release of this security bulletin.

Note: Users of the legacy < 2.7.0.3 and < 3.0.4.1 releases will first have to install the latest update in order to apply the fix.

Credits

The security issue has been found by our partner Andreas Ziethen.


Stay up-to-date

To receive upcoming OXID Security Bulletins, please subscribe to the mailing lists or the Announcement forum

How to report security issues

Learn how to report security issues in the Security overview page.

Personal tools