View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0007415 | OXID eShop (all versions) | 1.05. Users | public | 2023-01-31 13:54 | 2024-08-08 10:44 |
| Reporter | michael_keiluweit | Assigned To | |||
| Priority | immediate | Severity | crash | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 6.5.1 | ||||
| Fixed in Version | 6.5.2 | ||||
| Summary | 0007415: It's possible to partly hijack an account, in case the user provides an URL containing the parameter force_sid | ||||
| Description | In some cases (depending on the configuration or if the web protocol has changed) the shop adds the parameter force_sid, therefore the session doesn't get lost. If a user copies an URL containing a force_sid parameter and provides it to others, it's possible that someone hijacks this account by simply calling this very URL. | ||||
| Steps To Reproduce | Please see OXDEV-4971 for further information. | ||||
| Tags | Security, Session | ||||
| Theme | Not defined | ||||
| Browser | Not defined | ||||
| PHP Version | Not defined | ||||
| Database Version | Not defined | ||||
