PDA

View Full Version : Whos online Vunerability Fix



michael_s
02-05-2009, 08:00 AM
Found a security issue in catalog/includes/functions/whos_online.php

line 30:
$wo_last_page_url = getenv('REQUEST_URI');

Replace with:
$wo_last_page_url = htmlspecialchars(getenv('REQUEST_URI'));


This XSS Vulnerability affects the adminpanel->Whos online

a hacker could easily grab your admin cookie.

More... (http://addons.oscommerce.com/info/6536)

Dranoel
02-05-2009, 09:44 AM
Thanks- applied new code. Works fine.

trochia
02-07-2009, 03:35 PM
Same here, thank-you Michael