Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

OXID eShop CE 4.9.7 Path Traversal / Privilege Escalation

🗓️ 03 May 2016 00:00:00Reported by Tim HerresType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 35 Views

OXID eShop CE 4.9.7 Path Traversal / Privilege Escalatio

Code
`=== LSE Leading Security Experts GmbH - Security Advisory 2016-02-03 ===  
  
OXID eShop Path Traversal Vulnerability  
------------------------------------------------------------------------  
  
Affected Versions  
=================  
Community Edition 4.9.7  
  
Issue Overview  
==============  
Vulnerability Type: path traversal, privilege escalation  
Version: Tested in Community Edition 4.9.7  
Technical Risk: high  
Likelihood of Exploitation: medium  
Vendor: OXID eSales AG  
Vendor URL: https://www.oxid-esales.com  
Credits: LSE Leading Security Experts GmbH employee Tim Herres  
Advisory URL: https://www.lsexperts.de/advisories/lse-2016-02-03.txt  
Advisory Status: Public  
CVE-Number: NA  
CVE URL: NA  
OVE-ID:OVE-20160419-0002  
OVI-ID:OVI-2016-7988  
CWE-ID: CWE-22  
CVSS 2.0: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)  
  
  
  
Impact  
======  
A missing file path validation allows an authenticated user with permission  
to add or edit products to read any file on the file system without permissions.  
  
  
  
Issue Description  
=================  
While conducting an internal evaluation of the software, LSE Leading  
Security Experts GmbH discovered a path traversal vulnerability in the product  
downloads function. A user with permissions to change or add products may change  
the Downloads name to a local file (e.g. "../../../config.inc.php"). This may lead  
to a privilege escalation.  
  
  
  
  
Temporary Workaround and Fix  
============================  
Install latest update 4.9.8/5.2.8  
See http://wiki.oxidforge.org/Downloads/4.9.8_5.2.8  
  
  
Proof of Concept  
================  
Create a new product in the backend. In the "Downloads" tab set "name of the uploaded  
file" to "../../../config.inc.php". Go to the frontend and buy the related product.  
Move to "My account" and choose the download section. Download the file and enjoy  
full database credentials.  
  
History  
=======  
2016-02-05 Issue discovered  
2016-02-22 Vendor contacted  
2016-02-24 Vendor confirmed  
2016-05-03 Vendor released patch  
2016-05-03 Advisory release  
  
  
GPG Signature  
=============  
This advisory is signed with the GPG key of the  
LSE Leading Security Experts GmbH advisories team.  
The key can be downloaded here: https://www.lsexperts.de/advisories-key-99E3277C.asc  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 May 2016 00:00Current
0.6Low risk
Vulners AI Score0.6
oxid eshoppath traversalprivilege escalationvulnerabilityversion 4.9.7security advisorylse leading security experts gmbhtim herresoxid esales agfile path validationtemporary workaroundpatch releasecwe-22cvss 2.0
35