View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001196||OXID eShop (all versions)||1.02. Price calculations (discounts, coupons, additional costs etc.)||public||2009-08-13 18:27||2015-05-04 14:15|
|Target Version||Fixed in Version|
|Summary||0001196: Coupons are easily hijacked by external attacker|
|Description||The default path for the file "oxexport.csv" for export|
of coupons is normally:
Attackers have recently started to download this file from
random OXID eShops to illegaly use coupons.
It can even be seen in the oxid demo shop at:
Coupons will be exported to:
They can then be downloaded by attackers using:
This needs an immediate security patch!
We have some customers who allready suffer from illegal coupon usage!!
|Tags||No tags attached.|
Reminder sent to: henriks
This problem occured because missconfiguration of environment on server. This can be simply solved by placing the .htaccess file in /export dir, which would deny unauthorized access to files in that dir.
We will discuss in the team about possible improvements for that case - what we can do, to help setup the environment for eshop or avoid such cases at all. This entry is already included in customers whishlist, and the entry here is closed.
Thank you for your note.