View Issue Details

IDProjectCategoryView StatusLast Update
0006224OXID eShop (all versions)4.04. Securitypublic2015-09-30 13:55
Reportermarco_steinhaeuser Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionno change required 
PlatformanyOSanyOS Versionany
Product Version4.0.1.0 revision 15990 
Target Version4.5.0 revision 34568Fixed in Version4.5.0 revision 34568 
Summary0006224: Security Bug in OXID OpenID Login
Descriptionwe are security researchers at Ruhr-University Bochum and we found a security bug concerning the OpenID Single Sign-On authentication on your system.

Authentication flaw:

OXID eSales uses the OpenID attribute exchange extension to identify the end user.
For this purpose, the OpenID email parameter is used.
Unfortunately, the following attack can be started:

Requirements:
An attacker can deploy his own OpenID Identity Provider (IdP) issuing valid OpenID authentication tokens (OpenID supports the usage of arbitrary IdPs).
The attacker's IdP can issue tokens containing any email address within the token (this feature is allowed by the OpenID specification).

Results:
As a result, an attacker can impersonate any other user on the system where OXID eSales is deployed.
No interaction between the attacker and the victim is necessary.

Countermeasure:
You should use the "openid.identity" and "openid.claimed_id" parameters for authentication as defined in the OpenID specification.
After our call with Marco Steinhaeser, we heard that newer OXID Shop versions do not support OpenID.
Thus, upgrading OXID will "fix" the bug.
Unfortunately, there still customers using this old version.
TagsNo tags attached.
ThemeBasic
BrowserAll
PHP VersionNot defined
Database VersionNot defined

Activities

marco_steinhaeuser

2015-08-31 18:12

reporter   ~0011194

openID functionality was removed with OXID eShop 4.5 in 2011. The (openID) bug was reported now. Although it is more or less a bug in openID, we decided to inform users via a security bulletin.

marco_steinhaeuser

2015-09-30 13:55

reporter   ~0011229

Last edited: 2015-09-30 13:55

Security bulletin:
http://wiki.oxidforge.org/Security_bulletins/2015-001