View Issue Details

IDProjectCategoryView StatusLast Update
0005905OXID eShop (all versions)2. ----- eShop backend (admin) -----public2015-06-29 11:55
ReporterMitmacher 
PriorityurgentSeveritycriticalReproducibilityalways
Status resolvedResolutionfixed 
Product Version4.9.0 / 5.2.0 
Target Version4.8.9 / 5.1.9Fixed in Version4.9.2 / 5.2.2 
Summary0005905: Missing checks for SSL, mallshop and language-hosts
DescriptionRecently "processUrl()" was changed according to https://bugs.oxid-esales.com/view.php?id=5809. But this only works if the shop is running on a single distinct domain. If you are using some different domains in addition like SSL-Proxies in config vars sSSLShopURL or sAdminSSLURL, than all internal links will lack of parameters force_sid + token. So you cannot login anymore and the shop gets unusable at all.
Steps To Reproduce1. setup demo shop about a provider which offers SSL proxies (profihost, 1&1, ?)
2. set $this->sAdminSSLURL to a common used SSL proxy like:
   https://ssl.secure-online-shopping.de/shopname/admin
3. try to login (endless loop)
Additional InformationThe problem maybe "function isCurrentShopHost($sUrl)" inside oxutilsurl.php which checks if the current URL exists in array _aHosts. But since OXID 4.9 this array is always empty and as an alternative the URL is only checked against sShopURL. A solution might be to re-migrate the code from OXID 4.8 to 4.9, especially both functions _getHosts() and _addHost(). I have created a small hotfix-module to handle this issue, see: http://forum.oxid-esales.com/showthread.php?t=25001

It is quite strange that this code exists in OXID 4.8, because it seems to be correct but was never used inside the whole framework. Now that it is getting usefull and important, it has been deleted for some reason.
TagsHTTPS
ThemeAll
BrowserAll
PHP VersionNot defined
MySQL VersionNot defined

Relationships

related to 0005809 resolvedaurimas.gladutis Session ID Disclosure 

Activities

Mitmacher

2014-10-03 13:44

reporter  

wn_fixbeloginssl-1.0.2.zip (4,467 bytes)

arturas.sevcenko

2014-10-31 16:49

reporter   ~0010301

Hi,

Sorry we were unable to reproduce this issue, after setting up similar environment like you explained in the bug entry description.

Please check your apache and SSL configuration and make sure they are correctly configured.

arturas.sevcenko

2014-11-03 10:22

reporter   ~0010303

reproduced on 4.9.0 CE

Mitmacher

2014-11-03 11:25

reporter   ~0010304

Thanks for reopening! I also want to mention, that this bug was recently ported back to older OXID versions 4.7.14 + 4.8.8 in a similar way. So I'm afraid they also have to be fixed again to solve this issue.

vilma_liorensaityte

2014-11-13 08:36

administrator   ~0010327

Thank's for Wendnet for the pull request:
https://github.com/OXID-eSales/oxideshop_ce/pull/176

martinwegele

2015-06-29 11:11

reporter   ~0011065

Last edited: 2015-06-29 11:29

View 2 revisions

fixed in 5.2.2