Security Affairs
JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Hacking eCommerce sites based on OXID eShop by chaining 2 flaws

Researchers at RIPS Technologies discovered vulnerabilities in the OXID eShop platform that could expose eCommerce websites to hack. Experts at RIPS Technologies discovered several flaws in the OXID eShop platform that could be exploited by unauthenticated attackers to compromise eCommerce websites. OXID eShop is a popular e-commerce software platform used by important brands like Mercedes […]

Oxid eShop

Researchers at RIPS Technologies discovered vulnerabilities in the OXID eShop platform that could expose eCommerce websites to hack.

Experts at RIPS Technologies discovered several flaws in the OXID eShop platform that could be exploited by unauthenticated attackers to compromise eCommerce websites.

OXID eShop is a popular e-commerce software platform used by important brands like Mercedes and Edeka.

Experts discovered two critical security issues that affect recent versions of Enterprise, Professional, and Community Editions of OXID eShop software.

The vulnerabilities could be exploited by an attacker without any user interaction.

The first issue, tracked as CVE-2019-13026, is an SQL injection vulnerability that could be exploited by an unauthenticated attacker to create a new administrator account.

“The eShop software is prone to a SQL Injection which is fully exploitable from an unauthenticated remote session. The exploit requires no specific shop configuration.” reads the report published by RIPS Technologies.

“This means an attacker can pivot via the session variable to inject straight into ORDER BYstatement of the SQL query. Since the underlying database driver is per default set to PDO, an attacker can make use of stacked queries to insert a brand new admin user with a password of his choice. He can then log into the backend and continue the exploitation process which is described in the following section.”

The researchers published a video Proof-of-Concept that shows the attack

The second flaw in the OXID eShop is a PHP Object injection vulnerability that affects the administration panel of the platform. The vulnerability is caused by the lack of sanitization for user-supplied that being passed to the unserialize() PHP function.

The flaw can be exploited by a remote attacker to execute arbitrary code on the server. Experts pointed out that the exploitation of this flaw requires administrative access to the system that can be obtained triggering the first SQL Injection vulnerability.

“As soon as the adversary has access to the backend, he can escalate his access into a Remote Code Execution by exploiting a PHP Object Injection vulnerability in the import section.” continues the post. “The administrator has the possibility to import articles by uploading a CSV file which is loaded into the $data array of the following code snippet.”

The expert successfully chained the two issues in a Python2.7 exploit that can be exploited to compromise OXID eShops by just knowing their URL.

The experts published a video that shows the PoC code in action.

Chaining the two flaw, attackers can remotely execute malicious code on the underlying server and take full control over the installation of the eCommerce platform. This means, for example, that attackers can install software skimmer to steal payment card data from visitors.

Below the timeline for the flaws:

DateEvent
11/Dec/2017Reported a SQL Injection in OXID 4.10.6
18/June/2019First contact with vendor
19/June/2019Agreed on communication encryption
21/June/2019Sent vulnerability details
27/June/2019Vendor informs about releasing fix on 30th July
30/July/2019Vendor fixed issue
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Marriott, GDPR)

[adrotate banner=”5″]

[adrotate banner=”13″]