View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001610 | OXID eShop (all versions) | 3.1. Design, GUI, UX | public | 2010-01-19 15:55 | 2010-09-23 14:43 |
| Reporter | dainius.bigelis | Assigned To | |||
| Priority | high | Severity | minor | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 4.2.0 revision 23610 | ||||
| Fixed in Version | 4.4.3 revision 30016 | ||||
| Summary | 0001610: URL params with "sid" in name are interpreted as session ID and replaced with "sid=x" automatically | ||||
| Description | When inserted such link in the cms: http://?&bonusid=12312& ...in the received email it looked like this: http://?&bonusid=x&shp=7&shp=7&shp=7& It can be that the issue occurs, because param "bonusid" is interpreted as "sid" by system and here regexp replaced this with "sid=x". Please fix this issue, that params with "sid" in the name would not be interpreted as session IDs. | ||||
| Tags | No tags attached. | ||||
| Theme | |||||
| Browser | All | ||||
| PHP Version | any | ||||
| Database Version | any | ||||
| related to | 0005091 | resolved | mantas.vaitkunas | Newsletter force_sid=x |
|
|
When bonusid is read out as the session id that could be a huge security hole in the software as you can pass any session id url variable. Could this be checked too? |
|
|
checked, bonusid (or anywhateveritisid ) is never interpreted as session id (sid), the error is just in sid value replacement part |
|
|
added needed regexp checks |
