Modify

Opened 4 years ago

Closed 4 years ago

#2213 closed Bug/Fehler (fixed)

Ungefilterter GET Parameter tracking.php

Reported by: flth@… Owned by: somebody
Priority: normal Milestone: modified-shop-2.0.7.1
Component: Sicherheit Version: 2.0.7.0
Keywords: Cc:
Blocked By: Blocking:

Description (last modified by Torsten Riemer)

In der tracking.php werden in Zeile 37 und 40 zwei GET Parameter ungefiltert in die Session geschrieben.
Never trust an external parameter :)

    $_SESSION['tracking']['refID'] = $_GET['refID'];
    $sql_data_array = array(
      'user_ip' => ip_clearing($_SESSION['tracking']['ip']),
      'campaign' => $_GET['refID'],
      'time' => 'now()'
    );

Attachments (0)

Change History (2)

comment:1 by Torsten Riemer, 4 years ago

Description: modified (diff)

comment:2 by Gerhard Waldemair, 4 years ago

Resolution: fixed
Status: newclosed

In 14476:

fix #2213 - fix refID

Modify Ticket

Action
as closed The owner will remain somebody.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment
E-mail address and name can be saved in the Preferences .
AttachmentsDescription
 
Note: See TracTickets for help on using tickets.