--------------------------------------------- OXID eShop Enterprise Edition - Session Fixation Vulnerability - Stored Cross Site Scripting Vulnerability Date: 30.03.2010 --------------------------------------------- - Description OXID eShop EE is a widespread and popular CMS for online shops. The current release (4.2.0) has been found vulnerable to a session fixation and a XSS attack. - Session Fixation Passing the parameter sid via URL allows an attacker fixate the session ID to a given value. By fooling legitimate users to follow the attacker provided URL with the fixated session ID, the attacker would be able to overtake the users session. Example: http://vulnerable.system.com/index.php?sid=12345 - XSS A stored XSS vulnerability exists in the recommendation list (account_recommlist.php) in the fields recomm_title, recomm_author and recomm_desc. No further example will be given. - Solution Update to version 4.3.0 - Credits The vulnerabilities were discovered by Michael Mueller from Integralis michael#dot#mueller#at#integralis#dot#com - Timeline 23.03.2010 - Vulnerabilities discovered 23.03.2010 - Vendor contacted 23.03.2010 - Initial vendor response 25.03.2010 - Vendor response with ACK and fix date 30.03.2010 - Public disclosure - Reference Vendor Security Information http://wiki.oxidforge.org/Category:Security_bulletins Vendor Homepage http://www.oxid-esales.com/