View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0011234 | mantisbt | security | public | 2009-12-01 00:04 | 2010-02-22 14:34 |
Reporter | dhx | Assigned To | dhx | ||
Priority | urgent | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.0 | ||||
Target Version | 1.2.0 | Fixed in Version | 1.2.0 | ||
Summary | 0011234: user_ensure_realname_valid() is not checked on account_page.php | ||||
Description | Users are free to change their real name to things like "<script>alert(42);</script>" when updating their real name from account_page.php manage_user_edit_page() is safe against this bug as it does perform the required user_ensure_realname_valid() check. | ||||
Tags | No tags attached. | ||||
parent of | 0011232 | closed | dhx | XSS on summary_page.php with user Real Name field |
parent of | 0011233 | closed | dhx | XSS on adm_config_report.php with user Real Name field |
parent of | 0011235 | closed | dhx | XSS on manage_tags_page.php with user Real Name field |
parent of | 0011236 | closed | dhx | XSS on view_all_bug_page.php (specifically the filters form) with user Real Name field |
parent of | 0011237 | closed | dhx | XSS on tag_view_page.php with user Real Name field |
parent of | 0011238 | closed | dhx | XSS on tag_update_page.php with user Real Name field |
parent of | 0011239 | closed | dhx | XSS on view_user_page.php with user Real Name field |
parent of | 0011240 | closed | dhx | XSS on bug_revision_view_page.php with user Real Name field |
parent of | 0011241 | closed | dhx | XSS on manage_proj_page.php with user Real Name field |
parent of | 0011242 | closed | dhx | XSS on manage_proj_edit_page.php with user Real Name field |
MantisBT: master-1.2.x 9c0f46d6 2009-12-01 01:39 Details Diff |
Fix 0011234: Validate user name and email on account_page.php manage_user_edit_page.php correctly validates the real name and email address of user accounts that are updated by managers/admins. However, the user account update page (account_page.php) doesn't perform these validation checks, allowing users to set their real name and email address to invalid and potentially unsafe strings. |
Affected Issues 0011234 |
|
mod - account_update.php | Diff File | ||
MantisBT: master 0789144e 2009-12-01 01:39 Details Diff |
Fix 0011234: Validate user name and email on account_page.php manage_user_edit_page.php correctly validates the real name and email address of user accounts that are updated by managers/admins. However, the user account update page (account_page.php) doesn't perform these validation checks, allowing users to set their real name and email address to invalid and potentially unsafe strings. |
Affected Issues 0011234 |
|
mod - account_update.php | Diff File |