0001766: Article information readable from outside by using a specially crafted URL

ID	Project	Category	View Status	Date Submitted	Last Update

0001766	OXID eShop (all versions)	1.01. Products (product, categories, manufacturer, promotions etc.)	public	2010-04-13 16:11	2012-12-07 14:29

Reporter	dainius.bigelis	Assigned To
Priority	immediate	Severity	major	Reproducibility	always
Status	resolved	Resolution	fixed
Product Version	4.3.0 revision 26948
Fixed in Version	4.3.1 revision 27257

Summary	0001766: Article information readable from outside by using a specially crafted URL
Description	by using a function via a specially crafted URL in this form: http://[yourshop]/index.php?fnc=getArticle&oxid=221 it is pretty simple to read _all_ information concerning to one article. If you know all article's OXID's (which is pretty simple to find out with searching for "%" in shop) you might gather all relevant information.
Tags	Products

Theme
Browser	All
PHP Version	any
Database Version	any

tomas_liubinas 2010-04-16 17:17 reporter ~0002562 Last edited: 2010-04-16 17:17	This was not a bug, this was a feature. However due to security reasons we disabled it by default. If you want to enable it you shoud set $this->blAllowRemoteArticleInfo in config.inc.php file to true.