View Issue Details

IDProjectCategoryView StatusLast Update
0005809OXID eShop (all versions)4.04. Securitypublic2014-07-25 09:26
Reporterwebformatik 
PriorityurgentSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version4.8.6 / 5.1.6 
Target Version4.7.14 / 5.0.14Fixed in Version4.7.14 / 5.0.14 
Summary0005809: Session ID Disclosure
DescriptionThe frondend session id (force_sid) and even the admin backend session id are appended to external (!) links.
Steps To Reproduce- Log into demoshop admin
- Add an external link to actions -> banner 1, for example "http://foo.bar"
- Save action

Now the preview button next to the input field will have this link:

http://foo.bar/?force_admin_sid=913bc8bc2ae404430c9a3248e9fa2d5f&stoken=9B6F2E1B

The frondend banner will have this link:

http://foo.bar/?force_sid=dee3265cddefbde316aff5fb6e661a52

So session ids are passed to external websites!
TagsSession
ThemeAll
BrowserAll
PHP Version5.4
MySQL Versionany

Relationships

related to 0005905 resolvedvilma_liorensaityte Missing checks for SSL, mallshop and language-hosts 

Activities

aurimas.gladutis

2014-07-25 09:26

reporter   ~0010036

Changed the way oxUtilsUrl::processUrl() acts. Now it checks if it is current shop url and only then adds session and language parameters to the link.