Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

A security problem in Tell A Friend Function


11111111111

Recommended Posts

Today I tested the "tell a friend" function and I found that the product link sent to friend contains session id, which is probably a security issue.

 

It is never good to expose a session id to outside. So here is the way to fix it.

 

Open: catalog/tell_a_friend.php

 

Find: (about line 77)

 

      $email_body .= sprintf(TEXT_EMAIL_LINK, tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id'])) . "\n\n" .

 

Change to:

 

      $email_body .= sprintf(TEXT_EMAIL_LINK, tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id'], 'SSL', false)) . "\n\n" .

 

I also checked the latest snapshot. It also has this problem.

 

Hope this helps.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...