View Issue Details

IDProjectCategoryView StatusLast Update
0019277mantisbtsecuritypublic2015-03-15 19:58
ReporterdregadAssigned Todregad 
PrioritynormalSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.3.0-beta.1 
Target Version1.3.0-beta.2Fixed in Version1.3.0-beta.2 
Summary0019277: CVE-2014-9573: SQL Injection in manage_user_page.php
Description

This is a clone of 0017940 to track the vulnerability in 1.3.x branch

Additional Information

Advisory ID: HTB23243
Reference: https://www.htbridge.com/advisory/HTB23243

Original report in 0017937

TagsNo tags attached.

Relationships

duplicate of 0017940 closeddregad CVE-2014-9573: SQL Injection in manage_user_page.php 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master 7cc4539f

2014-12-27 12:34:25

dregad

Details Diff
Fix SQL injection in manage_user_page.php

This vulnerability (CVE-2014-9573) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

To avoid injection, the parameters we get from the cookie are now
properly sanitized before being used in the SQL query.

Fixes 0017940
mod - manage_user_page.php Diff File

Issue History

Date Modified Username Field Change
2015-01-27 04:50 dregad New Issue
2015-01-27 04:50 dregad Status new => assigned
2015-01-27 04:50 dregad Assigned To => dregad
2015-01-27 04:50 dregad Issue generated from: 0017940
2015-01-27 04:50 dregad Relationship added duplicate of 0017940
2015-01-27 04:52 dregad Status assigned => resolved
2015-01-27 04:52 dregad Fixed in Version => 1.3.0-beta.2
2015-01-27 04:52 dregad Resolution open => fixed
2015-01-27 04:55 dregad Changeset attached => MantisBT master 7cc4539f
2015-03-15 19:58 dregad Status resolved => closed