View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0007038 | OXID eShop (all versions) | 1.01. Products (product, categories, manufacturer, promotions etc.) | public | 2019-10-01 22:11 | 2024-06-26 11:12 |
| Reporter | mario_lorenz | Assigned To | |||
| Priority | normal | Severity | tweak | Reproducibility | always |
| Status | confirmed | Resolution | open | ||
| Product Version | 6.1.4 | ||||
| Summary | 0007038: manipulable GET request parameter executes wrong dynamic method call | ||||
| Description | The OxidEsales\EshopCommunity\Application\Controller\FrontendController->getListType() returns the content of RequestParameter 'listtype'. This content would be used in OxidEsales\EshopCommunity\Application\Component\Locator->setLocatorData($oCurrArticle, $oLocatorTarget) to create a dynamic method-call: $sLocfnc = "_set{$this->_sType}LocatorData"; $this->$sLocfnc($oLocatorTarget, $oCurrArticle); At this point there is no verification that the method "$sLocfnc" exists at all. If I now manipulate the GET variable "listtype", an exception is thrown and written into the error log. So i have various error-log-entries like this: Function '_setsearch AND 1=1LocatorData' does not exist or is not accessible! For me, this is a sign that the shop is being "investigated" for SQL injections or similar vulnerabilities. That's not bad, but not nice either. It would be better to check in advance if the method exits. So no meaningless log entries are generated. _setsearch AND 1=1LocatorData | ||||
| Steps To Reproduce | Manipulate the listtype-GET-Parameter in the links of an article-details-page. Then have a look to your OXID-error-log. | ||||
| Tags | No tags attached. | ||||
| Theme | All | ||||
| Browser | Not defined | ||||
| PHP Version | Not defined | ||||
| Database Version | Not defined | ||||
