View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0007805 | OXID eShop (all versions) | 4. ------ eShop Core ------- | public | 2025-06-23 13:59 | 2025-06-23 16:31 |
| Reporter | dominik_ziegler | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | acknowledged | Resolution | open | ||
| Summary | 0007805: No type check for request parameters | ||||
| Description | OXID relies on certain request parameters being a string value. This leads to errors and redirects to the shop offline page if there are malicious requests performed by bots or attackers. For example, parameters like "cl" or "fnc" in the shop code are always treated as string values. There is no check for the correct type and passing an array will result in various errors (mostly "... must be of type string, array given"). | ||||
| Steps To Reproduce | For example, all these requests will result in PHP TypeErrors and trigger the offline page: https://demoshop.oxid-esales.com/index.php?cl[]=test https://demoshop.oxid-esales.com/index.php?cl=start&fnc[]=test https://demoshop.oxid-esales.com/index.php?cl=start&sid[]=test | ||||
| Tags | No tags attached. | ||||
| Theme | Not defined | ||||
| Browser | Not defined | ||||
| PHP Version | 8.1 | ||||
| Database Version | Not defined | ||||
