Context Navigation

← Previous Ticket
Next Ticket →

#2213 closed Bug/Fehler

Ungefilterter GET Parameter tracking.php — at Version 1

Reported by:	flth@…	Owned by:	somebody
Priority:	normal	Milestone:	modified-shop-2.0.7.1
Component:	Sicherheit	Version:	2.0.7.0
Keywords:		Cc:
Blocked By:		Blocking:

Description (last modified by Torsten Riemer)

In der tracking.php werden in Zeile 37 und 40 zwei GET Parameter ungefiltert in die Session geschrieben.
Never trust an external parameter :)

    $_SESSION['tracking']['refID'] = $_GET['refID'];
    $sql_data_array = array(
      'user_ip' => ip_clearing($_SESSION['tracking']['ip']),
      'campaign' => $_GET['refID'],
      'time' => 'now()'
    );

Change History (1)

comment:1 by Torsten Riemer, 4 years ago

Description:	modified (diff)

Note: See TracTickets for help on using tickets.

Download in other formats:

RSS Feed
Comma-delimited Text
Tab-delimited Text