Those users whose e-commerce website runs on the OXID eShop platform must update it immediately to prevent their site from becoming hacked.
Cybersecurity researchers at RIPS Technologies GmbH have found a pair of critical vulnerabilities in OXID eShop e-commerce software that could permit unauthenticated attackers to take total control over vulnerable eCommerce websites remotely in a few seconds.
OXID eShop is one of the leading German e-commerce shop software solutions whose enterprise edition is being used by industry leaders like Mercedes, BitBurger, and Edeka.
The security researchers explained two critical security vulnerabilities that affected the latest versions of Enterprise, Professional, and Community Editions of OXID eShop software.
It is surprising that there is no need of any interaction between the attacker and the victim to execute both vulnerabilities, and the flaws work against the default configuration of e-commerce software.
SQL Injection Flaw
The first vulnerability which has been dubbed as CVE-2019-13026, is a SQL injection vulnerability that permits an unauthenticated attacker to create a new administrator account using a password of his choice, on a website running any vulnerable version of OXID eShop software.
The Proof-of-Concept video demonstrating this attack is shown below:
Remote Code Execution Flaw
The second vulnerability is a PHP Object injection issue, that lies in the administration panel of the OXID eShop software and occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function.
This vulnerability when exploited allows the attackers to gain remote code execution on the server. But this needs administrative access which can be obtained using the first vulnerability.
The video demonstration of the RCE attack in action is below:
On successfully exploiting the vulnerabilities, the attackers can remotely execute malicious code on the server, or install their own malicious plugin to steal user’s financial details like credit cards, PayPal account information and other sensitive information that passes through the eShop system.
The security researchers reported their findings to OXID eShops, for which the company acknowledged and addressed it with the release of OXID eShop v6.0.5 and 6.1.4 for all three Editions.
The company however did not patch the second vulnerability; instead they mitigated it by addressing the first issue.