Skip to content

OXID-eSales/security-hotfix-paypal-onlogin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
src/Model
src/Model
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
composer.json
composer.json
 
 
metadata.php
metadata.php
 
 

Repository files navigation

OSC PayPal — Security Hotfix (User::onLogin Auth Bypass)

Permanent drop-in security fix for the authentication bypass in the OSC PayPal module's User::onLogin override (advisory GHSA-7rp4-9wjf-97cx, bug 0007936).

Who this is for: shops that cannot move to a patched PayPal module release (>= 1.4.0 / 2.9.0 / 3.8.0) and must remain on an older, unpatched version (e.g. 2.7.x) for compatibility or operational reasons. This module closes the bypass without changing the PayPal module itself, and is meant to stay installed for as long as the shop runs an unpatched PayPal version.

If you can upgrade the PayPal module to a patched release, do that instead — this module then becomes redundant (harmless) and can be removed.

Compatibility

  • OXID eShop 6.1
  • OXID eShop 6.5
  • OXID eShop 7.x

One module source works in all three. There is no version-specific build.

What it does (and the trade-off)

The hotfix re-overrides User::onLogin and dispatches directly to the eShop core implementation via reflection, so the standard shop login always enforces the password check. The vulnerable PayPal override is bypassed.

Trade-off (permanent while this module is active): the PayPal Express convenience login — signing in to the shop via a PayPal email match without entering a shop password — is disabled. For shops on an unpatched version this is the intended, accepted trade-off: security over that one convenience feature.

⚠ Critical: class-chain activation order

The fix only works if this hotfix sits behind (after) the PayPal module in the module extension chain:

Core\User  ←  PayPal\User  ←  Hotfix\User      (this hotfix is the outermost link)
  • Activate the PayPal module first, then this hotfix second.
  • Hotfix\User::onLogin is then the outermost link, runs first, and jumps straight to Core\User::onLogin via reflection — the PayPal override is skipped and the password check is enforced. (The hotfix deliberately does not call parent::onLogin(), which would resolve back to the vulnerable PayPal override.)
  • If the order is reversed (PayPal outermost), the PayPal override runs first and the bypass stays open. The order is not optional.

How to verify / set the order:

  • OXID 6.1 / 6.5: the chain order follows activation order. Activate PayPal first, this hotfix second. Verify under Master Settings → Core Settings → System → Modules (or in the DB oxconfig, parameter aModules); for Application\Model\User the hotfix class must appear after the PayPal class.
  • OXID 7.x: the order is part of the module configuration. After installing, ensure the hotfix is ordered after the PayPal module and apply the configuration (oe-console oe:module:apply-configuration). Verify the resulting chain for User.

Installation

Delivered as a self-contained module and wired in via a Composer path repository. Do not copy it directly into source/modules/ — Composer would not register the PSR-4 autoloader. The workflow is identical for OXID 6.1, 6.5 and 7.

  1. Place the module directory outside the shop installation, e.g.:

    /var/www/myshop/                              ← shop root (composer.json)
/var/www/security-hotfix-paypal-onlogin/
    composer.json
    metadata.php
    src/Model/User.php

  2. Register it as a path repository and require it (from the shop project root):

    composer config repositories.security-hotfix-paypal-onlogin \
    '{"type": "path", "url": "../security-hotfix-paypal-onlogin", "options": {"symlink": false}}'

composer require oxid-esales/security-hotfix-paypal-onlogin:^2.0

    Adjust url to the real path. "symlink": false makes Composer copy the files (recommended for production). The oxid-esales/oxideshop-composer-plugin (part of every OXID shop) detects "type": "oxideshop-module" and installs it into the module directory automatically.

  3. In the shop admin under Extensions → Modules, activate "OSC PayPal — Security Hotfix (User::onLogin)".

  4. Ensure the class-chain order from the section above — PayPal module first, this hotfix second. This is the step that makes or breaks the fix.

  5. Clear the shop cache (tmp/).

Verifying the fix

The bypass is closed when a login attempt with a victim's email and an empty password through the standard shop login form (with a PayPal Express order session primed) is rejected. With the wrong chain order it would succeed — use this as your order check.

Removal (only if you move to a patched PayPal release)

  1. Deactivate the hotfix in Extensions → Modules.
  2. From the shop project root: 
    composer remove oxid-esales/security-hotfix-paypal-onlogin
composer config --unset repositories.security-hotfix-paypal-onlogin
  3. Optional: delete the module directory.
  4. Clear the shop cache (tmp/).

Version history

See CHANGELOG.md. 1.0.0 was the temporary workaround shipped during the coordinated-disclosure phase and remains installable; 2.0.0 is the same mechanism re-scoped as a permanent, supported fix.

About

security-hotfix-paypal-onlogin

Resources

Readme

License

View license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 2

v2.0.0 Latest
Jun 9, 2026
+ 1 release

Packages

 
 
 

Contributors

Languages