If your e-commerce website runs on the OXID eShop platform, you need to update it immediately to prevent your site from becoming compromised.
Cybersecurity researchers have discovered a pair of critical vulnerabilities in OXID eShop e-commerce software that could allow unauthenticated attackers to take full control over vulnerable eCommerce websites remotely in less than a few seconds.
OXID eShop is one of the leading German e-commerce shop software solutions whose enterprise edition is being used by industry leaders including Mercedes, BitBurger, and Edeka.
Security researchers at RIPS Technologies GmbH shared their latest findings with The Hacker News, detailing about two critical security vulnerabilities that affect recent versions of Enterprise, Professional, and Community Editions of OXID eShop software.
It should be noted that absolutely no interaction between the attacker and the victim is necessary to execute both vulnerabilities, and the flaws work against the default configuration of e-commerce software.
OXID eShop: SQL Injection Flaw
The first vulnerability, assigned as CVE-2019-13026, is a SQL injection vulnerability that allows an unauthenticated attacker to simply create a new administrator account, with a password of his own choice, on a website running any vulnerable version of OXID eShop software.
“An unauthenticated SQL injection can be exploited when viewing the details of a product. Since the underlying database makes use of the PDO database driver, stacked queries can be used to INSERT data into the database. In our exploit we abuse this to INSERT a new admin user,” researchers told The Hacker News.
Here’s Proof-of-Concept video researchers shared with The Hacker News, demonstrating this attack:
images from Hacker News