Jump to content
  • Checkout
  • Login
  • Get in touch


The e-commerce.

A security problem in Tell A Friend Function


Recommended Posts

Today I tested the "tell a friend" function and I found that the product link sent to friend contains session id, which is probably a security issue.


It is never good to expose a session id to outside. So here is the way to fix it.


Open: catalog/tell_a_friend.php


Find: (about line 77)


      $email_body .= sprintf(TEXT_EMAIL_LINK, tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id'])) . "\n\n" .


Change to:


      $email_body .= sprintf(TEXT_EMAIL_LINK, tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id'], 'SSL', false)) . "\n\n" .


I also checked the latest snapshot. It also has this problem.


Hope this helps.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...