View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0006623 | OXID eShop (all versions) | 5. ------ UpdateApp / Update ------ | public | 2017-04-26 02:10 | 2017-06-23 12:08 |
Reporter | BeckerEnterprises | Assigned To | |||
Priority | high | Severity | crash | Reproducibility | always |
Status | closed | Resolution | open | ||
Product Version | 4.10.3 / 5.3.3 | ||||
Summary | 0006623: UTF-8 update.php SQL Fehler bei Werten mit Anführungszeichen | ||||
Description | Wenn in der oxconfig Werte mit einfachem Anführungszeichen vorhanden sind, kommt es zu einem SQL Fehler da die Werte nicht korrekt escaped werden. | ||||
Steps To Reproduce | In der oxconfig eine Zeile mit einem Wert von ' einfügen, Update starten. | ||||
Additional Information | In Zeile 357 (_updateConfigValue) den Inhalt von $sVarVal escapen. $oDB = oxDB::getInstance(); .. $oDB->escapeString($sVarVal) .. | ||||
Tags | No tags attached. | ||||
Theme | Not defined | ||||
Browser | Not defined | ||||
PHP Version | All | ||||
Database Version | All | ||||
|
Kindly enter bugs only in the english language for future references. The default oxconfig Table does not by default have a quotation mark. Can you please let provide the entry in oxconfig that requires a quotation mark so that we can try reproducing the issue. Thanks |
|
Its caused by a third party module (shoptimax shoptifind) but oxconfig is not only used by oxid, so every value is possible and the update script should take account. |
|
Since the error is caused by a third party module, a solution cannot be added to the Standard Shop. Kindly contact the third party module provider(in this case Shoptimax) for a solution. |
|
Really, this is also a big security issue, easy to perform SQL injection. It is reproducable with Theme Flow, just add an ' in theme configuration in the contact field. You can also add SQL Statemens, works great ;) But I dont see that this is an issue with modules, the Script have to deal with every possible value. User values used in any SQL Statement should be escaped, without exception otherwise it leads to vulnerability! |
|
Thank you for your feedback. The instances of security issue or SQL injection are taking place in the Shop Admin page. In this case, the user has to have Admin access to the Shop inorder to make an SQL injection possible. Kindly provide more information or any other scenario where this issue can be reproduced in the Shop. |
|
If any security issue still persists, please follow the instructions mentioned in https://oxidforge.org/en/security. Thanks! |
|
In place of the reporter, I (MK) did send a mail to the security@. |