View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017338 | mantisbt | security | public | 2014-05-14 14:15 | 2014-12-22 08:21 |
Reporter | grangeway | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Target Version | 1.2.18 | Fixed in Version | 1.2.18 | ||
Summary | 0017338: Login_page.php: Ensure username is valid | ||||
Description | This is a fix to improve the behaviour of login_page against possible XSS exploits to ensure that a username is valid before displaying it back to the user when entered. Effectively, I believe this to be a false positive from a security scanning tool due to our use of string_attribute(), however as a defense in depth type of measure: a) we pass ?username= as a query param, back to logon page if a logon is failed The patch contained against this bug tightens our handling of the username field by passing it to user_is_name_valid (P.S. that's a really annoying function name for a user's username when we also have real names :)) The user_is_name_valid function currently checks the length is not too long, and that it matches user_login_valid_regex which by default is alpha-numeric. For a user entering a reasonable attempt at a username and a password, the behaviour remains the same. For a user attempting to enter something like "<html style="foo">alert()" or similar, as this may exceed the username length and/or is likely to include invalid characters, the form will return to a blank username and password field to be completed, as if the user visited the logon page for the first time. | ||||
Tags | patch | ||||
Attached Files | 17338.patch (449 bytes)
diff --git a/login_page.php b/login_page.php index e00aee9..e32f195 100644 --- a/login_page.php +++ b/login_page.php @@ -102,6 +102,11 @@ if ( $t_session_validation ) { } } +# Check username is valid if provided +if( !user_is_name_valid( $f_username ) ) { + $f_username = ''; +} + # Determine whether the username or password field should receive automatic focus. $t_username_field_autofocus = 'autofocus'; $t_password_field_autofocus = ''; | ||||
Patch Attached, I've added this here as a private issue to ensure it can be evaluated properly in case my false positive analysis for an XSS issue is an incorrect determination |
|
I don't believe there is a vulnerability here, but anyway this can't hurt. I see no issue with this patch. |
|
MantisBT: master-1.2.x d6e16b6f 2014-10-30 14:43 Paul Richards Committer: dregad Details Diff |
Ensure username is valid in login_page.php This is a fix to improve the behaviour of login_page against possible XSS exploits to ensure that a username is valid before displaying it back to the user when entered. Fixes 0017338 Signed-off-by: Damien Regad <dregad@mantisbt.org> |
Affected Issues 0017338 |
|
mod - login_page.php | Diff File | ||
MantisBT: master 3bb2bee6 2014-10-30 14:43 Paul Richards Committer: dregad Details Diff |
Ensure username is valid in login_page.php This is a fix to improve the behaviour of login_page against possible XSS exploits to ensure that a username is valid before displaying it back to the user when entered. Fixes 0017338 Signed-off-by: Damien Regad <dregad@mantisbt.org> |
Affected Issues 0017338 |
|
mod - login_page.php | Diff File |