Security bulletins/2010-003

Released: August 25th, 2010

The following issue has been identified:

= Synopsis =

We found the possibility of so called "Reflected XSS Attacks". Reflected attacks are those where the injected code is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. When a user is tricked into clicking on a malicious link or submitting a specially crafted form, the injected code travels to the vulnerable web server, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a "trusted" server. No malicious JavaScript code is stored on the server.

= State =

Resolved in OXID eShop version 4.4.2.

= Impact =

By sending a specially crafted JavaScript code, unauthorized users may gain access to another user's session.

No exploits are known as of today.

= Affected products, releases and platforms =

Products:


 * OXID eShop Professional Edition
 * OXID eShop Enterprise Edition
 * OXID eShop Community Edition

Releases:


 * Professional, Enterprise and Community Edition: 4.0.0.0_13895, 4.0.0.0_13934, 4.0.0.0_14260, 4.0.0.1_14455, 4.0.0.2_14842, 4.0.0.2_14967, 4.0.1.0_15990, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.4.0 and 4.4.1

Platforms:


 * Above releases are affected on all platforms.

Note: Older releases than the ones mentioned might as well be affected. They are considered end of life and will not be supported further.

= Resolution =

The issue has been addressed in the following releases:


 * OXID eShop Professional Edition version 4.4.2
 * OXID eShop Enterprise Edition version 4.4.2
 * OXID eShop Community Edition version 4.4.2

Note: Users of the legacy &lt;= 2.7.0.3 and &lt;= 3.0.4.1 releases will not be provided with a fix. These versions are considered end of life and will not be supported further.

Workaround
For all users with any edition and version of OXID eShop it is highly recommended, to protect the admin panel with a .htaccess protection. Read more about .htaccess and other server site precaution in this tutorial: http://wiki.oxidforge.org/Tutorials/Best_Practice_Security_Actions

= Credits =

Many thanks to Heiko Frenzel for the hint!

= Stay up-to-date =

To receive upcoming OXID Security Bulletins, please subscribe to the mailing lists or the Announcement forum

= How to report security issues =

Learn how to report security issues in the Security overview page.