researchers have discovered a pair of critical vulnerabilities in OXID eShop e-commerce software that could allow unauthenticated attackers to take full control over vulnerable eCommerce websites remotely in less than a few seconds.
OXID eShop is one of the leading German e-commerce shop software solutions whose enterprise edition is being used by industry leaders including Mercedes, BitBurger, and Edeka.
Security researchers at RIPS Technologies GmbH shared their latest findings with The Hacker News, detailing about two critical security vulnerabilities that affect recent versions of Enterprise, Professional, and Community Editions of OXID eShop software.
It should be noted that absolutely no interaction between the attacker and the victim is necessary to execute both vulnerabilities, and the flaws work against the default configuration of e-commerce software.
OXID eShop: SQL Injection Flaw
The first vulnerability, assigned as CVE-2019-13026, is a SQL injection vulnerability that allows an unauthenticated attacker to simply create a new administrator account, with a password of his own choice, on a website running any vulnerable version of OXID eShop software.
"An unauthenticated SQL injection can be exploited when viewing the details of a product. Since the underlying database makes use of the PDO database driver, stacked queries can be used to INSERT data into the database. In our exploit we abuse this to INSERT a new admin user," researchers told The Hacker News.
Here's Proof-of-Concept video researchers shared with The Hacker News, demonstrating this attack:
Though the PDO database system has been designed to prevent SQL injection attacks using prepared statements, using dynamically build SQL commands could leave stacked queries at higher risk of getting tainted.
OXID eShop: Remote Code Execution Flaw
The second vulnerability is a PHP Object injection issue, which resides in the administration panel of the OXID eShop software and occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function.
This vulnerability can be exploited to gain remote code execution on the server; however, it requires administrative access which can be obtained using the first vulnerability.
"A second vulnerability can then be chained to gain remote code execution on the server. We have a fully working Python2.7 exploit which can compromise the OXID eShops directly which requires only the URL as an argument," researchers told The Hacker News.
Here's the video demonstration showing the RCE attack in action:
Once successful, attackers can remotely execute malicious code on the underlying server, or install their own malicious plugin to steal users' credit cards, PayPal account information and any highly sensitive financial information that passes through the eShop system—just like MageCart attacks.
RIPS researchers responsibly reported their findings to OXID eShops, and the company acknowledged the issue and addressed it with the release of OXID eShop v6.0.5 and 6.1.4 for all three Editions.
It appears that the company did not patch the second vulnerability, but simply mitigated it by addressing the first issue. However, in the future, if any admin takeover issue is discovered, it will revive the RCE attacks.