0005833: It is possible to get Shop Version number when calling certain urls

ID	Project	Category	View Status	Date Submitted	Last Update

0005833	OXID eShop (all versions)	4.04. Security	public	2014-07-23 14:42	2016-01-27 10:28

Reporter	hendrikfreytag	Assigned To
Priority	high	Severity	major	Reproducibility	always
Status	resolved	Resolution	fixed
Product Version	4.8.7 / 5.1.7
Fixed in Version	4.9.7 / 5.2.7

Summary	0005833: It is possible to get Shop Version number when calling certain urls
Description	You should not be able to call getshopversion, getshopedition and getshoprevision of the controller start. This is done by a htaccess rule. But it is possible to go around that. In URLs you can replace character by it's hexadecimal ascii value. For example: http://www.example.com/index.php?cl=start&fnc=%67etshopversion The htaccess rule will not recognize that, but the url will be called and you get the version.
Tags	No tags attached.
Attached Files	bug.png (89,287 bytes) bug.png (89,287 bytes)

Theme	Azure
Browser	All
PHP Version	Not defined
Database Version	Not defined

hendrikfreytag 2015-10-05 13:55 reporter ~0011239	Call http://demoshop.oxid-esales.com/professional-edition/?fnc=%67etshopversion It will redirect to http://demoshop.oxid-esales.com/professional-edition/index.php?cl=4.9.5 This will redirect to http://demoshop.oxid-esales.com/professional-edition/index.php?cl=start&redirected=1 You have to use something in the browser which can show you all redirects, because otherwise you won't see the first redirect. (e.g. in chrome hit F12 to use the developer tools)