View Issue Details

IDProjectCategoryView StatusLast Update
0001196OXID eShop (all versions)1.02. Price calculations (discounts, coupons, additional costs etc.)public2015-05-04 14:15
Reporterhenriks 
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionwon't fix 
Product Version 
Target VersionFixed in Version 
Summary0001196: Coupons are easily hijacked by external attacker
DescriptionThe default path for the file "oxexport.csv" for export
of coupons is normally:

http://shop-hostname/export/oxexport.csv

Attackers have recently started to download this file from
random OXID eShops to illegaly use coupons.

It can even be seen in the oxid demo shop at:
http://demoshop.oxid-esales.com/professional-edition/

Coupons will be exported to:
/demoujjj/www.demoshop.oxid-esales.com/professional-edition/export/oxexport.csv

They can then be downloaded by attackers using:
http://demoshop.oxid-esales.com/professional-edition/export/oxexport.csv

This needs an immediate security patch!

We have some customers who allready suffer from illegal coupon usage!!

TagsNo tags attached.
Theme
BrowserAll
PHP Version5.2.6
MySQL Version5.0.33

Activities

dainius.bigelis

2009-08-14 15:00

reporter   ~0001407

Reminder sent to: henriks

Hi,

This problem occured because missconfiguration of environment on server. This can be simply solved by placing the .htaccess file in /export dir, which would deny unauthorized access to files in that dir.
We will discuss in the team about possible improvements for that case - what we can do, to help setup the environment for eshop or avoid such cases at all. This entry is already included in customers whishlist, and the entry here is closed.
Thank you for your note.

Best regards,