View Issue Details

IDProjectCategoryView StatusLast Update
0011234mantisbtsecuritypublic2010-02-22 14:34
Reporterdhx Assigned Todhx  
PriorityurgentSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.0 
Target Version1.2.0Fixed in Version1.2.0 
Summary0011234: user_ensure_realname_valid() is not checked on account_page.php
Description

Users are free to change their real name to things like "<script>alert(42);</script>" when updating their real name from account_page.php

manage_user_edit_page() is safe against this bug as it does perform the required user_ensure_realname_valid() check.

TagsNo tags attached.

Relationships

parent of 0011232 closeddhx XSS on summary_page.php with user Real Name field 
parent of 0011233 closeddhx XSS on adm_config_report.php with user Real Name field 
parent of 0011235 closeddhx XSS on manage_tags_page.php with user Real Name field 
parent of 0011236 closeddhx XSS on view_all_bug_page.php (specifically the filters form) with user Real Name field 
parent of 0011237 closeddhx XSS on tag_view_page.php with user Real Name field 
parent of 0011238 closeddhx XSS on tag_update_page.php with user Real Name field 
parent of 0011239 closeddhx XSS on view_user_page.php with user Real Name field 
parent of 0011240 closeddhx XSS on bug_revision_view_page.php with user Real Name field 
parent of 0011241 closeddhx XSS on manage_proj_page.php with user Real Name field 
parent of 0011242 closeddhx XSS on manage_proj_edit_page.php with user Real Name field 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master-1.2.x 9c0f46d6

2009-12-01 01:39

dhx


Details Diff
Fix 0011234: Validate user name and email on account_page.php

manage_user_edit_page.php correctly validates the real name and email
address of user accounts that are updated by managers/admins. However,
the user account update page (account_page.php) doesn't perform these
validation checks, allowing users to set their real name and email
address to invalid and potentially unsafe strings.
Affected Issues
0011234
mod - account_update.php Diff File

MantisBT: master 0789144e

2009-12-01 01:39

dhx


Details Diff
Fix 0011234: Validate user name and email on account_page.php

manage_user_edit_page.php correctly validates the real name and email
address of user accounts that are updated by managers/admins. However,
the user account update page (account_page.php) doesn't perform these
validation checks, allowing users to set their real name and email
address to invalid and potentially unsafe strings.
Affected Issues
0011234
mod - account_update.php Diff File