View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0007743 | OXID eShop (all versions) | 4.04. Security | public | 2024-11-12 14:24 | 2026-06-18 14:50 |
| Reporter | michael_keiluweit | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 6.5.4 | ||||
| Fixed in Version | 6.5.5 | ||||
| Summary | 0007743: In case a syntax error happens while Smarty renders a plain HTML template, the already fetched output gets echoed. | ||||
| Description | Behind the scene the output is buffered (ob_start), but if an exception is thrown, the output gets flushed (https://www.php.net/manual/en/outcontrol.output-handlers.php) and displays the content. In case of the password forgot plain HTML it displays the link to change the password. This allows an attacker to change the password of any account without a notice. It’s necessary to have an error inside the the CMS page oxupdatepassinfoplainemail to be able to abuse the password forgot functionality. Since every plain HTML template is buffered, this issue affects any plain HTML template. | ||||
| Additional Information | Only reproducible with Smarty (reproduced in CE & EE 7.0 and 6.5) and happens with any WYSIWYG editor (Administration area > Customer Info > CMS Pages). Hotfix (6.2 - 7.0): https://github.com/OXID-eSales/hotfix-module-7743 | ||||
| Tags | Security, Smarty | ||||
| Theme | All | ||||
| Browser | Not defined | ||||
| PHP Version | Not defined | ||||
| Database Version | Not defined | ||||
|
|
This issue can be resolved by installing the hotfix or if you are still on OXID eShop v6 by updating the compilation to version 6.5.5 or later or if you are on OXID eShop v7 with Smarty by updating the smarty component in compilation version 7.0.x to version v1.0.1 The compilation v7 without Smarty is not affected. (See https://github.com/OXID-eSales/smarty-component/blob/v1.0.1/CHANGELOG.md ) Since this component was never shipped with the OXID eShop compilation v7, we can not fix this there by releasing a new version of the compilation. |
