View Issue Details

IDProjectCategoryView StatusLast Update
0001196OXID eShop (all versions)1.02. Price calculations (discounts, coupons, additional costs etc.)public2015-05-04 14:15
Status resolvedResolutionwon't fix 
Product Version 
Target VersionFixed in Version 
Summary0001196: Coupons are easily hijacked by external attacker
DescriptionThe default path for the file "oxexport.csv" for export
of coupons is normally:


Attackers have recently started to download this file from
random OXID eShops to illegaly use coupons.

It can even be seen in the oxid demo shop at:

Coupons will be exported to:

They can then be downloaded by attackers using:

This needs an immediate security patch!

We have some customers who allready suffer from illegal coupon usage!!

TagsNo tags attached.
PHP Version5.2.6
Database Version5.0.33



2009-08-14 15:00

reporter   ~0001407

Reminder sent to: henriks


This problem occured because missconfiguration of environment on server. This can be simply solved by placing the .htaccess file in /export dir, which would deny unauthorized access to files in that dir.
We will discuss in the team about possible improvements for that case - what we can do, to help setup the environment for eshop or avoid such cases at all. This entry is already included in customers whishlist, and the entry here is closed.
Thank you for your note.

Best regards,