View Issue Details

IDProjectCategoryView StatusLast Update
0005833OXID eShop (all versions)4.04. Securitypublic2016-01-27 10:28
Reporterhendrikfreytag Assigned To 
Status resolvedResolutionfixed 
Product Version4.8.7 / 5.1.7 
Fixed in Version4.9.7 / 5.2.7 
Summary0005833: It is possible to get Shop Version number when calling certain urls
DescriptionYou should not be able to call getshopversion, getshopedition and getshoprevision of the controller start. This is done by a htaccess rule. But it is possible to go around that. In URLs you can replace character by it's hexadecimal ascii value.

For example:

The htaccess rule will not recognize that, but the url will be called and you get the version.
TagsNo tags attached.
Attached Files
bug.png (89,287 bytes)   
bug.png (89,287 bytes)   
PHP VersionNot defined
Database VersionNot defined



2015-10-05 13:55

reporter   ~0011239


It will redirect to

This will redirect to

You have to use something in the browser which can show you all redirects, because otherwise you won't see the first redirect. (e.g. in chrome hit F12 to use the developer tools)