Opened 4 years ago

Last modified 4 years ago

#2213 closed Bug/Fehler

Ungefilterter GET Parameter tracking.php — at Initial Version

Reported by: flth@… Owned by: somebody
Priority: normal Milestone: modified-shop-2.0.7.1
Component: Sicherheit Version: 2.0.7.0
Keywords: Cc:
Blocked By: Blocking:

Description

In der tracking.php werden in Zeile 37 und 40 zwei GET Parameter ungefiltert in die Session geschrieben.
Never trust an external parameter :)

$_SESSIONtrackingrefID = $_GETrefID;

$sql_data_array = array(

'user_ip' => ip_clearing($_SESSIONtrackingip),
'campaign' => $_GETrefID,
'time' => 'now()'

);

Change History (0)

Note: See TracTickets for help on using tickets.