View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0007784 | mantisbt | security | public | 2007-02-25 10:52 | 2007-12-21 04:17 |
Reporter | lxg | Assigned To | vboctor | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | all | OS | all | OS Version | all |
Product Version | 1.0.6 | ||||
Target Version | 1.0.7 | Fixed in Version | 1.0.7 | ||
Summary | 0007784: XSS vulnerabilities | ||||
Description | There are multiple Cross-Site-Scripting issues in MantisBT. For example, a user can insert JavaScript into his Full Name, thus making every client execute the JS when accessing a page displaying this information. | ||||
Steps To Reproduce |
| ||||
Additional Information | Usually some HTML should be allowed, but malicious HTML should be filtered out. There are some opensource libraries available (e.g. KSES) which do such a HTML filtering. Alternatively (or as workaround), the PHP function strip_tags() will eliminate undesired HTML tags. It does however not discriminate on attributes, such as KSES et al. do. | ||||
Tags | No tags attached. | ||||