View Issue Details

IDProjectCategoryView StatusLast Update
0007415OXID eShop (all versions)1.05. Userspublic2023-02-28 18:09
Reportermichael_keiluweit Assigned To 
PriorityimmediateSeveritycrashReproducibilityalways
Status resolvedResolutionfixed 
Product Version6.5.1 
Fixed in Version6.5.2 
Summary0007415: It's possible to partly hijack an account, in case the user provides an URL containing the parameter force_sid
DescriptionIn some cases (depending on the configuration or if the web protocol has changed) the shop adds the parameter force_sid, therefore the session doesn't get lost.
If a user copies an URL containing a force_sid parameter and provides it to others, it's possible that someone hijacks this account by simply calling this very URL.
Steps To ReproducePlease see OXDEV-4971 for further information.
TagsSecurity, Session
ThemeNot defined
BrowserNot defined
PHP VersionNot defined
Database VersionNot defined