URL "step" parameter
Permalink
I wonder what's the use the 'step' parameter read through $_GET['step'] and $_REQUEST['step'] and added to header('Location: ...") and other links? (see attachment)
I know it seems to be related to WorkFlow but haven't found any use of it through out the code.
The issue with it is it's read directly from user input and inserted into the header() without any inspection what so ever.
The reason I need to know is to solve a claimed XSS issue that might be caused because of it, as reported by a security penetration testing of a client I'm dealing with.
Any input is highly appreciated.
P.S. I'm referring to Concrete 5.6.3.4
regards,
I know it seems to be related to WorkFlow but haven't found any use of it through out the code.
The issue with it is it's read directly from user input and inserted into the header() without any inspection what so ever.
The reason I need to know is to solve a claimed XSS issue that might be caused because of it, as reported by a security penetration testing of a client I'm dealing with.
Any input is highly appreciated.
P.S. I'm referring to Concrete 5.6.3.4
regards,
