MantisBT: master 974e6da4

Author Committer Branch Timestamp Parent
dhx dhx master 2010-12-14 18:40 master 184a0f4a
Affected Issues  0012607: LFI/FD and XSS in the 'upgrade_unattended.php'
Changeset

Fix 0012607: LFI/PD/XSS in upgrade_unattended.php

Gjoko Krstic of Zero Science Lab has kindly reported in detail a number
of vulnerabilities in the admin/upgrade_unattended.php script.

Earlier patches by Victor Boctor (MantisBT developer) resolved the
issue. This patch enhances those changes to strengthen the security of
this script even further.

Please note that the "admin" directory SHOULD BE DELETED AFTER
INSTALLATION on all live instances of MantisBT.

mod - admin/upgrade_unattended.php Diff File