View Issue Details

IDProjectCategoryView StatusLast Update
0005905OXID eShop (all versions)2. ----- eShop backend (admin) -----public2024-01-17 13:55
ReporterMitmacher Assigned To 
Status resolvedResolutionfixed 
Product Version4.9.0 / 5.2.0 
Target Version4.8.9 / 5.1.9Fixed in Version4.9.2 / 5.2.2 
Summary0005905: Missing checks for SSL, mallshop and language-hosts
DescriptionRecently "processUrl()" was changed according to But this only works if the shop is running on a single distinct domain. If you are using some different domains in addition like SSL-Proxies in config vars sSSLShopURL or sAdminSSLURL, than all internal links will lack of parameters force_sid + token. So you cannot login anymore and the shop gets unusable at all.
Steps To Reproduce1. setup demo shop about a provider which offers SSL proxies (profihost, 1&1, ?)
2. set $this->sAdminSSLURL to a common used SSL proxy like:
3. try to login (endless loop)
Additional InformationThe problem maybe "function isCurrentShopHost($sUrl)" inside oxutilsurl.php which checks if the current URL exists in array _aHosts. But since OXID 4.9 this array is always empty and as an alternative the URL is only checked against sShopURL. A solution might be to re-migrate the code from OXID 4.8 to 4.9, especially both functions _getHosts() and _addHost(). I have created a small hotfix-module to handle this issue, see:

It is quite strange that this code exists in OXID 4.8, because it seems to be correct but was never used inside the whole framework. Now that it is getting usefull and important, it has been deleted for some reason.
Attached Files
PHP VersionNot defined
Database VersionNot defined


related to 0005809 resolvedaurimas.gladutis Session ID Disclosure 
related to 0006065 resolvedflorian.auer Method excepts a String as first argument, but gets an array. 



2014-10-31 16:49

reporter   ~0010301


Sorry we were unable to reproduce this issue, after setting up similar environment like you explained in the bug entry description.

Please check your apache and SSL configuration and make sure they are correctly configured.


2014-11-03 10:22

reporter   ~0010303

reproduced on 4.9.0 CE


2014-11-03 11:25

reporter   ~0010304

Thanks for reopening! I also want to mention, that this bug was recently ported back to older OXID versions 4.7.14 + 4.8.8 in a similar way. So I'm afraid they also have to be fixed again to solve this issue.


2014-11-13 08:36

reporter   ~0010327

Thank's for Wendnet for the pull request:


2015-06-29 11:11

reporter   ~0011065

Last edited: 2015-06-29 11:29

fixed in 5.2.2