OXID eShop Utilized by Mercedes Fixes Distant Takeover Safety Bug

0
25

OXID e-commerce platform right this moment launched an replace for its software program fixing a distant takeover vulnerability that may be exploited with out authentication.

The web store has over 500,000 downloads and is a well-liked answer in Germany, utilized by large names like Mercedes to promote used automobile elements which were examined and include a guaranty.

The fitting URL and seconds to spare

An attacker would wish mere seconds to leverage the safety flaw in OXID eShop software program and get full entry to the administration panel of a weak website.

That is potential through the use of a specifically crafted URL, the corporate says within the safety bulletin, with no interplay with the sufferer.

Credited for the invention of the flaw, now tracked as CVE-2019-13026, are researchers from internet utility safety firm RIPS Tech, who disclosed the bug responsibly.

In a dialog with BleepingComputer, a spokesperson for RIPS Tech mentioned that the researchers have created “a completely working Python2.7 exploit which may compromise the OXID eShops instantly;” the attacker would solely want to offer the URL of the goal.

To exhibit their discovering, the researchers shared a video displaying how rapidly a risk actor might get entry to the OXID eShop administration panel.

.embed-container place: relative; padding-bottom: 56.25%; peak: zero; overflow: hidden; max-width: 100%; .embed-container iframe, .embed-container object, .embed-container embed place: absolute; high: zero; left: zero; width: 100%; peak: 100%;

With a severity rating of seven.5, the safety flaw might be exploited on OXID eShop web sites working with a default configuration and will enable entry to purchasing cart choices, buyer information, and the location’s database.

Patch and workaround can be found

All editions of OXID eShop (Enterprise, Skilled, Group) are affected, variations 6.zero.zero by way of 6.zero.four, and 6.1.zero by way of 6.1.three. The developer patched the bug in OXID eShop 6.zero.5 and 6.1.four, respectively.

Directors are suggested to replace their installations instantly. If this isn’t potential, a brief answer is offered, by modifying the supply/.htaccess file to incorporate the next rewrite guidelines after RewriteBase, line four:

RewriteCond %QUERY_STRING bsorting=[^&=]*[^a-z]+[^&=]*(&|$) [NC]
RewriteRule .* – [F]

Variations of the software program which are now not supported will stay weak, as the corporate is not going to present a repair for them.

.embed-container place: relative; padding-bottom: 56.25%; peak: zero; overflow: hidden; max-width: 100%; .embed-container iframe, .embed-container object, .embed-container embed place: absolute; high: zero; left: zero; width: 100%; peak: 100%;

Leave a Reply

avatar
  Subscribe  
Notify of