RIPS Tech credited with discovering RCE flaw

A critical vulnerability in the OXID eShop software creates a means for unauthenticated attackers to takeover an eShop remotely.

A second serious flaw in OXID eShop’s administration panel might thereafter be used to run a Remote Code Execution (RCE) attack on servers, security researchers at web application security testing firm RIPS Technologies warn.

RIPS Tech reported the flaw to OXID, which resolved the bug by developing a new version of the software, freeing up the researchers to go public with their findings on Tuesday.

OXID eShop commence software is used by a variety of high-profile firms including Mercedes, BitBurger, and Edeka.

According to RIPS Tech, the flaws are said to affect systems running OXID eShop version 6.3.4 in default configurations.

In an advisory, OXID acknowledged the administration panel vulnerability (CVE-2019-13026; CVSS Score 7.5).

“With a specially crafted URL, an attacker would be able to gain full access to the administration panel,” it explains.

It credited RIPS Tech with discovering the flaw, but said that Rips Tech had incorrectly identified the version of affected software. 

All OXID eShop versions 6 have been affected, it told The Daily Swig – 6.0.5 and 6.1.4 have since been fixed.

RIPS Tech said that assurance that the flaw might be difficult to exploit could be mistaken.

“We have a fully working Python2.7 exploit which can compromise the OXID eShops directly which requires only the URL as an argument,” a RIPS Tech spokesman told The Daily Swig.

“This means an attacker can remotely execute code on the underlying server, install his own malicious plugin to steal credit cards, PayPal account information and any other highly sensitive financial information which passes through the shop system.”

“Only a potentially missing root exploit in his tool box prevents an adversary [from] completely own[ing] the system,” he added.