Security bulletins/2009-002

This bulletin has been assigned a CVE identifier of CVE-2009-3113 Released: May 11th, 2009

Thanks to our partner Andreas Ziethen, the following issue has been identified:

= Synopsis =

Specially crafted parameter can lead to unauthorized write access to product reviews in the shop.

= State =

Resolved in the upcoming OXID eShop release. Fix for previous major releases will be available soon.

= Impact =

By adding a specially crafted parameter to the URL of the shop or to the generated e-mail link, unauthorized users may gain write access to product reviews.

No exploits are known as of today.

= Affected products, releases and platforms =

Products:


 * OXID eShop Professional Edition
 * OXID eShop Enterprise Edition
 * OXID eShop Community Edition

Releases:


 * Professional, Enterprise and Community Edition: 4.0.0.0_13895, 4.0.0.0_13934, 4.0.0.0_14260, 4.0.0.1_14455, 4.0.0.2_14842, 4.0.0.2_14967, 4.0.1.0_15990, 4.1.0-17976, 4.1.1-18442
 * Enterprise Edition: in addition to the above, all 2.x versions
 * Professional Edition: in addition to the above, all 3.x versions

Platforms:


 * Above releases are affected on all platforms.

Note: Older releases than the ones mentioned might as well be affected. They are considered end of life and will not be supported.

= Resolution =

The issue will be addressed in the following future releases:


 * OXID eShop Professional Edition version 4.1.2
 * OXID eShop Enterprise Edition version 4.1.2
 * OXID eShop Community Edition version 4.1.2

For the legacy release OXID eShop Professional Edition 3.0.4.1 and Enterprise Edition 2.7.0.3, a separate fix will be made available within two weeks following the release of this security bulletin.

Note: Users of the legacy &lt; 2.7.0.3 and &lt; 3.0.4.1 releases will first have to install the latest update in order to apply the fix.

= Credits =

The security issue has been found by our partner Andreas Ziethen.

= Stay up-to-date =

To receive upcoming OXID Security Bulletins, please subscribe to the mailing lists or the Announcement forum

= How to report security issues =

Learn how to report security issues in the Security overview page.