View Issue Details

IDProjectCategoryView StatusLast Update
0005568OXID eShop (all versions)4.04. Securitypublic2015-09-09 15:03
Reportermaltestenzel 
PriorityimmediateSeveritycriticalReproducibilityalways
Status resolvedResolutionfixed 
Product Version4.7.6 / 5.0.6 
Target Version4.7.10 / 5.0.10Fixed in Version4.6.8 
Summary0005568: Execution of any private/protected Methods in any Controller by external requests to the shop possible
Descriptiontl;dr: Visitors of oxid Shops can run any Method implemented in any Controller despite its visibility by using the pattern:
http://shopurl/?cl=<Classname>&fnc=<Private_method>

When calling Controller methods using the above syntax, the class core\oxshopcontrol will call the method "executeFunction" on the target Controller within the "_process" method. Every Controller extends core\oxview that implements "executeFunction".
"executeFunction($sFunction)" therefore is a member of the target Controller and can call protected/private methods of it. This is done by executing "$sNewAction = $this->$sFunction();"

Calling protected/private methods on Controllers can lead to massive security issues. Imagine the following controller:

class mycontroller extends mycontroller_parent {
  public function refund() {
    if($this->mayDoSomething()) { // some security checks
      $this->executeRefund();
    }
  }
  private function executeRefund() {
    // Get oxorder id from parameter
    // Issue refund
  }
}

There is at least one security issue in an oxid shop i will not disclose here caused by code created by oxid professional services. The shop and developer is informed.
Additional InformationWe hotfixed this issue by patching oxview directly:
    /**
     * Executes method (creates class and then executes). Returns executed
     * function result.
     *
     * @param string $sFunction name of function to execute
     *
     * @throws oxSystemComponentException system component exception
     *
     * @return mixed
     */
    public function executeFunction( $sFunction )
    {
        // execute
        if ( $sFunction && !self::$_blExecuted ) {
          $reflectionMethod = $this->getReflectionMethodOrNull($sFunction);
          if ( $reflectionMethod !== null && $reflectionMethod->isPublic()) {
                    if ( ( $oRights = $this->getRights() ) ) {
                        // once again checking if user has enough rights to exec. preferred action
                        $oRights->processView( $this, $sFunction );
                    }

                $sNewAction = $this->$sFunction();
                self::$_blExecuted = true;

                if (isset($sNewAction)) {
                    $this->_executeNewAction( $sNewAction );
                }
            } else {
                // was not executed on any level ?
                if ( !$this->_blIsComponent ) {
                    $oEx = oxNew( 'oxSystemComponentException' );
                    $oEx->setMessage( 'ERROR_MESSAGE_SYSTEMCOMPONENT_FUNCTIONNOTFOUND' );
                    $oEx->setComponent( $sFunction );
                    throw $oEx;
                }
            }
        }
    }

  /**
   * Returns the reflection method for the given function for this class or null if the method does not exist
   *
   * @param $sFunction
   *
   * @return null|ReflectionMethod
   */
  private function getReflectionMethodOrNull( $sFunction )
  {
      $reflectionMethod = null;
      if (method_exists( $this, $sFunction )) {
          $reflectionMethod = new ReflectionMethod($this, $sFunction);
      }
      return $reflectionMethod;
  }
TagsNo tags attached.
ThemeAll
BrowserAll
PHP VersionNot defined
MySQL VersionNot defined

Activities

martinwegele

2015-09-09 15:03

reporter   ~0011211

Last edited: 2015-09-09 15:05

View 2 revisions

fix: https://github.com/OXID-eSales/oxideshop_ce/commit/e3ad94506df9aa79c73e93687151d79342f17287

The issue was not just fixed in 4.6.8 but in 4.7.10 / 5.0.10 ... 14 and all versions >= 4.8.2 / 5.1.2, too.
It should be clear if you compare the commit date and the release dates: https://www.oxid-esales.com/de/support-services/dokumentation-und-hilfe/oxid-eshop/releases.html
Please also note that the fix was not done like proposed by the reporter of the issue.

http://wiki.oxidforge.org/Downloads/4.6.8#Important_information_for_developers
http://wiki.oxidforge.org/Downloads/4.7.10_5.0.10#Important_information_for_developers
http://wiki.oxidforge.org/Downloads/4.8.2_5.1.2#Important_information_for_developers