View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005809 | OXID eShop (all versions) | 4.04. Security | public | 2014-07-07 11:23 | 2014-07-25 09:26 |
| Reporter | webformatik | Assigned To | |||
| Priority | urgent | Severity | major | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 4.8.6 / 5.1.6 | ||||
| Target Version | 4.7.14 / 5.0.14 | Fixed in Version | 4.7.14 / 5.0.14 | ||
| Summary | 0005809: Session ID Disclosure | ||||
| Description | The frondend session id (force_sid) and even the admin backend session id are appended to external (!) links. | ||||
| Steps To Reproduce | - Log into demoshop admin - Add an external link to actions -> banner 1, for example "http://foo.bar" - Save action Now the preview button next to the input field will have this link: http://foo.bar/?force_admin_sid=913bc8bc2ae404430c9a3248e9fa2d5f&stoken=9B6F2E1B The frondend banner will have this link: http://foo.bar/?force_sid=dee3265cddefbde316aff5fb6e661a52 So session ids are passed to external websites! | ||||
| Tags | Session | ||||
| Theme | All | ||||
| Browser | All | ||||
| PHP Version | 5.4 | ||||
| Database Version | any | ||||
| related to | 0005905 | resolved | vilma_liorensaityte | Missing checks for SSL, mallshop and language-hosts |
