Security bulletins/2009-001

This bulletin has been assigned a CVE identifier of CVE-2009-3112 Released: February 18th, 2009

As part of our regular security audit, the following issue has been identified:

= Synopsis =

Specially crafted parameter can lead to unauthorized administrative access to shop backend.

= State =

Resolved in upcoming OXID eShop release (see below for details). Hotfix for current and older releases is available.

= Impact =

By adding a specially crafted parameter to the URL of the shop backend, unauthorized users may gain administrative privileges. No exploits are known as of today.

= Affected products, releases and platforms =

Products:


 * OXID eShop Professional Edition
 * OXID eShop Enterprise Edition
 * OXID eShop Community Edition

Releases:


 * 4.0.0.0_13895, 4.0.0.0_13934, 4.0.0.0_14260, 4.0.0.1_14455, 4.0.0.2_14842, 4.0.0.2_14967, 4.0.1.0_15990

Platforms:


 * Above releases are affected on all platforms.

= Resolution =

The issue will be addressed in the following future releases:


 * OXID eShop Professional Edition version 4.1.0
 * OXID eShop Enterprise Edition version 4.1.0
 * OXID eShop Community Edition version 4.1.0

For the currently affected releases, a hotfix is available at http://support.oxid-esales.com/versions/. All users of OXID eShop should install the hotfix immediately.

= Workaround =

There is no workaround. See "Resolution" above.

= Credits =

The security issue has been found during one of our regular security audits.

= Stay up-to-date =

To receive upcoming OXID Security Bulletins, please subscribe to the mailing lists or the Announcement forum

= How to report security issues =

Learn how to report security issues in the Security overview page.