Bug #366
Security issue in checkout.2Checkout_result.php
| Status: | Closed | Start date: | 05/14/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | Francesco Abeni | % Done: | 100% |
|
| Category: | - | Spent time: | - | |
| Target version: | 1.1.9 |
Description
The problem is in the file administrator/components/com_virtuemart/html/checkout.2Checkout_result.php, lines 61-62:-
$qv = "SELECT order_id, order_number FROM #__{vm}_orders ";
$qv .= "WHERE order_number='".$order_number."'";
The variable $order_number is obtained directly from the $_REQUEST array on line 38:-
$order_number = $_REQUEST['merchant_order_id'];
It is not escaped anywhere.
Thanks to Fiona Coulter from Spiral Scripts for reporting.
History
Updated by Francesco Abeni 12 months ago
Other modifications were needed. Now it should be fine.
Updated by Urs Brülhart 11 months ago
Francesco, how to test this out?
Updated by Francesco Abeni 11 months ago
- Status changed from Resolved to Closed
- % Done changed from 80 to 100
Fixed with commit #3451
Updated by Urs Brülhart 11 months ago
Thank you too, Francesco ;-)