OXID eShop User Information Disclosure Vulnerability via Smarty Syntax Error
Vulnerability
A vulnerability exists in OXID eShop versions prior to 7, where CMS pages using Smarty can unintentionally reveal user information. This occurs if a CMS page contains a Smarty syntax error, particularly in plain HTML templates. When such an error arises, the output buffer is flushed, exposing the content. For instance, the 'password forgot' page can display a link to reset a password, potentially allowing an attacker to change the password for any account without notification.
Impact
Exploitation of this vulnerability allows for unauthorized password resets, enabling an attacker to gain access to user accounts.
Reproduction
To reproduce this vulnerability, log into the OXID eShop admin panel and navigate to the 'oxupdatepassinfoplainemail' CMS page. Introduce a syntax error in the Smarty code by altering a variable reference. After saving the change, access the 'password forgotten' page, enter an existing email address, and submit the form. The link to reset the password will be displayed. Use this link to change the password and log in with the new credentials.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.