OXID eShop SQL Injection Vulnerability Allowing Remote Code Execution

A SQL injection vulnerability has been identified in OXID eShop versions 6.x prior to 6.3.4. The vulnerability resides in the 'sorting' parameter, which can be manipulated to inject malicious PHP code into the database. Exploitation of this vulnerability allows for arbitrary code execution on the server via crafted URLs.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, which can be used to inject PHP code into the database. Once the code is executed, it can lead to remote code execution on the server.

Reproduction

To reproduce this vulnerability, click on any product item on a vulnerable OXID eShop installation. Once on the product detail page, add a 'sorting' parameter to the URL. This parameter can be crafted to include SQL injection payloads that exploit the vulnerability by inserting PHP code into the database. After injecting the code, access a specific URL that triggers the execution of the injected PHP code, such as one that loads the OXID eShop content controller with a custom load ID.

Remediation

Users are advised to update to OXID eShop version 6.3.4 or later, where this vulnerability has been fixed.