View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0007743 | OXID eShop (all versions) | 4.04. Security | public | 2024-11-12 14:24 | 2025-05-13 08:23 |
| Reporter | michael_keiluweit | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | confirmed | Resolution | open | ||
| Product Version | 7.0.5 | ||||
| Summary | 0007743: In case a syntax error happens while Smarty renders a plain HTML template, the already fetched output gets echoed. | ||||
| Description | Behind the scene the output is buffered (ob_start), but if an exception is thrown, the output gets flushed (https://www.php.net/manual/en/outcontrol.output-handlers.php) and displays the content. In case of the password forgot plain HTML it displays the link to change the password. This allows an attacker to change the password of any account without a notice. It’s necessary to have an error inside the the CMS page oxupdatepassinfoplainemail to be able to abuse the password forgot functionality. Since every plain HTML template is buffered, this issue affects any plain HTML template. | ||||
| Steps To Reproduce | 1. goto admin 2. open oxupdatepassinfoplainemail 3. Change [{ $shop->oxshops__oxname->getRawValue() }] to [{ $shop->oxshops__oxnaame->getRawValue() }] 4. Call the password forgotten page 5. insert an existing mail address 6. copy the displayed link and open it with your browser 7. change the password 8. log in with the account and its new password. | ||||
| Additional Information | Only reproducible with Smarty (reproduced in CE & EE 7.0 and 6.5). Happens with any WYSIWYG editor. | ||||
| Tags | Security, Smarty | ||||
| Theme | All | ||||
| Browser | Not defined | ||||
| PHP Version | Not defined | ||||
| Database Version | Not defined | ||||
