View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0006224||OXID eShop (all versions)||4.04. Security||public||2015-08-31 18:07||2015-09-30 13:55|
|Status||resolved||Resolution||no change required|
|Product Version||188.8.131.52 revision 15990|
|Target Version||4.5.0 revision 34568||Fixed in Version||4.5.0 revision 34568|
|Summary||0006224: Security Bug in OXID OpenID Login|
|Description||we are security researchers at Ruhr-University Bochum and we found a security bug concerning the OpenID Single Sign-On authentication on your system.|
OXID eSales uses the OpenID attribute exchange extension to identify the end user.
For this purpose, the OpenID email parameter is used.
Unfortunately, the following attack can be started:
An attacker can deploy his own OpenID Identity Provider (IdP) issuing valid OpenID authentication tokens (OpenID supports the usage of arbitrary IdPs).
The attacker's IdP can issue tokens containing any email address within the token (this feature is allowed by the OpenID specification).
As a result, an attacker can impersonate any other user on the system where OXID eSales is deployed.
No interaction between the attacker and the victim is necessary.
You should use the "openid.identity" and "openid.claimed_id" parameters for authentication as defined in the OpenID specification.
After our call with Marco Steinhaeser, we heard that newer OXID Shop versions do not support OpenID.
Thus, upgrading OXID will "fix" the bug.
Unfortunately, there still customers using this old version.
|Tags||No tags attached.|
|PHP Version||Not defined|
|MySQL Version||Not defined|
||openID functionality was removed with OXID eShop 4.5 in 2011. The (openID) bug was reported now. Although it is more or less a bug in openID, we decided to inform users via a security bulletin.|