View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001196 | OXID eShop (all versions) | 1.02. Price calculations (discounts, coupons, additional costs etc.) | public | 2009-08-13 18:27 | 2015-05-04 14:15 |
| Reporter | henriks | Assigned To | |||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | resolved | Resolution | won't fix | ||
| Summary | 0001196: Coupons are easily hijacked by external attacker | ||||
| Description | The default path for the file "oxexport.csv" for export of coupons is normally: http://shop-hostname/export/oxexport.csv Attackers have recently started to download this file from random OXID eShops to illegaly use coupons. It can even be seen in the oxid demo shop at: http://demoshop.oxid-esales.com/professional-edition/ Coupons will be exported to: /demoujjj/www.demoshop.oxid-esales.com/professional-edition/export/oxexport.csv They can then be downloaded by attackers using: http://demoshop.oxid-esales.com/professional-edition/export/oxexport.csv This needs an immediate security patch! We have some customers who allready suffer from illegal coupon usage!! | ||||
| Tags | No tags attached. | ||||
| Theme | |||||
| Browser | All | ||||
| PHP Version | 5.2.6 | ||||
| Database Version | 5.0.33 | ||||
|
|
Reminder sent to: henriks Hi, This problem occured because missconfiguration of environment on server. This can be simply solved by placing the .htaccess file in /export dir, which would deny unauthorized access to files in that dir. We will discuss in the team about possible improvements for that case - what we can do, to help setup the environment for eshop or avoid such cases at all. This entry is already included in customers whishlist, and the entry here is closed. Thank you for your note. Best regards, |
