View Issue Details

IDProjectCategoryView StatusLast Update
0001610OXID eShop (all versions)3.1. Design, GUI, UXpublic2010-09-23 14:43
Reporterdainius.bigelis 
PriorityhighSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version4.2.0 revision 23610 
Target VersionFixed in Version4.4.3 revision 30016 
Summary0001610: URL params with "sid" in name are interpreted as session ID and replaced with "sid=x" automatically
DescriptionWhen inserted such link in the cms:
http://?&bonusid=12312&

...in the received email it looked like this:
http://?&bonusid=x&shp=7&shp=7&shp=7&

It can be that the issue occurs, because param "bonusid" is interpreted as "sid" by system and here regexp replaced this with "sid=x".
Please fix this issue, that params with "sid" in the name would not be interpreted as session IDs.
TagsNo tags attached.
Theme
BrowserAll
PHP Versionany
MySQL Versionany

Relationships

related to 0005091 resolvedmantas.vaitkunas Newsletter force_sid=x 

Activities

dominik_ziegler

2010-09-21 10:40

reporter   ~0003533

When bonusid is read out as the session id that could be a huge security hole in the software as you can pass any session id url variable. Could this be checked too?

alfonsas_cirtautas

2010-09-23 00:39

reporter   ~0003541

checked, bonusid (or anywhateveritisid ) is never interpreted as session id (sid), the error is just in sid value replacement part

alfonsas_cirtautas

2010-09-23 00:40

reporter   ~0003542

added needed regexp checks