CVE-2018-20715 and the truth about it
On January 15th 2019, the security issue CVE-2018-20715 was entered into the database of NVD and naturally has been wide-spread through the security scene via Twitter and other social media. In this blog post I’ll try to explain why this announcement is close to utter bollocks.
- The security issue is related to software, not to a company. The company’s name is OXID eSales while the software this vendor produces is named OXID eShop. In this manner, there can’t be a vulnerability in OXID eSales. However, OXID eShop is obviously meant.
- The security issue was apparently announced by https://www.ripstech.com whom we formerly were in contact with. On the one hand – their automated code-sniffing service is superior. On the other hand their service is not bound to any human or rationally based assessment, and this way only can be assessed as ‘code based’, which might sometimes not be the entire thruth, might it?
- However, ripstech apparently felt free to undisclose a possible security issue without our consent. Usually, security issues would be handled along our guidelines which might be found at https://oxidforge.org/en/security.
- The security issue reported to the NVD by ripstech on a sole code base in reality is related to the administration panel of OXID eShop, meaning that – if you want to SQL inject some forms – you first have to gain administration access to the shop CMS. However, we strongly advise to secure your OXID admin panel (as well as any other CMS admin panels) with an own .htaccess. In case a possible attacker gained access to the administration panel of OXID eShop, it would be easier for him to use other functionalities like changing the prices for product items, upload porn pic or even flush the entire database instead of provoking an SQL injection exploit if he wants to do any harm.
I reckon you get the point. Stay careful when dealing with “security observers” 😉