View Issue Details

IDProjectCategoryView StatusLast Update
0007038OXID eShop (all versions)1.01. Products (product, categories, manufacturer, promotions etc.)public2019-10-02 09:00
Status acknowledgedResolutionopen 
Product Version6.1.4 
Target VersionFixed in Version 
Summary0007038: manipulable GET request parameter executes wrong dynamic method call
DescriptionThe OxidEsales\EshopCommunity\Application\Controller\FrontendController->getListType() returns the content of RequestParameter 'listtype'.

This content would be used in OxidEsales\EshopCommunity\Application\Component\Locator->setLocatorData($oCurrArticle, $oLocatorTarget) to create a dynamic method-call:

$sLocfnc = "_set{$this->_sType}LocatorData";
$this->$sLocfnc($oLocatorTarget, $oCurrArticle);

At this point there is no verification that the method "$sLocfnc" exists at all.

If I now manipulate the GET variable "listtype", an exception is thrown and written into the error log.

So i have various error-log-entries like this: Function '_setsearch AND 1=1LocatorData' does not exist or is not accessible!
For me, this is a sign that the shop is being "investigated" for SQL injections or similar vulnerabilities.

That's not bad, but not nice either. It would be better to check in advance if the method exits. So no meaningless log entries are generated.

_setsearch AND 1=1LocatorData
Steps To ReproduceManipulate the listtype-GET-Parameter in the links of an article-details-page. Then have a look to your OXID-error-log.
TagsNo tags attached.
BrowserNot defined
PHP VersionNot defined
Database VersionNot defined



2019-10-02 09:00

administrator   ~0013013