Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

osCsid security hole?


jtsroberts

Recommended Posts

Posted

Hi all,

 

I've had a report that a user has posted a link on a public forum to a product listing on their site. The user was logged in at the time and the url they posted to was:

 

sitename/index.php?cPath=31&osCsid=44f7f0adb0edcf4b4c0402b5c3965f06

 

Another forum user came along, clicked that link, and was then already logged in as the actual owner of the account who posted the link!

 

Is there a patch for this? It's running osc v2.2 R2.2

Posted

Hi all,

 

I've had a report that a user has posted a link on a public forum to a product listing on their site. The user was logged in at the time and the url they posted to was:

 

sitename/index.php?cPath=31&osCsid=44f7f0adb0edcf4b4c0402b5c3965f06

 

Another forum user came along, clicked that link, and was then already logged in as the actual owner of the account who posted the link!

 

Is there a patch for this? It's running osc v2.2 R2.2

 

1) Make sure that the osCsid is not persistent on the site ( should disappear after 1st click)

 

2) Set Recreate Session to true ( Configuration > Sessions > Recreate Session )

Posted

1) Make sure that the osCsid is not persistent on the site ( should disappear after 1st click)

 

The osCsid parameter is always present in the category links, etc. How do you set it up to only require it the first time??

 

2) Set Recreate Session to true ( Configuration > Sessions > Recreate Session )

 

I've made this change.

Posted

Selecting Regenerate session may not be sufficient to cure issues with external links with a sid attached.

 

Matt has created I nice post here with a mod for regenerating the session and preventing shared sessions from shared links .

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...