| Anonymous | Login | Signup for a new account | 2010-02-09 08:23 EST |  |
| Main | My View | View Issues | Change Log | Roadmap | Wiki | ManTweet | Repositories |
| View Issue Details [ Jump to Notes ] [ Wiki ] [ Related Changesets ] | [ Issue History ] [ Print ] | |||||
| ID | Project | Category | View Status | Date Submitted | Last Update | |
| 0008756 | mantisbt | security | public | 2008-01-16 16:15 | 2008-01-27 17:45 | |
| Reporter | Borszczuk | |||||
| Assigned To | giallu | |||||
| Priority | normal | Severity | minor | Reproducibility | always | |
| Status | closed | Resolution | fixed | |||
| Platform | OS | OS Version | ||||
| Product Version | 1.1.0 | |||||
| Target Version | Fixed in Version | 1.1.1 | ||||
| Summary | 0008756: "Most active bugs" summary XSS vulnerability | |||||
| Description | I disabled all HTML tags using g_html_valid_tags but still, on the "Most Active" on "Summary" screen tags are not escaped as expected. | |||||
| Tags | No tags attached. | |||||
| Attached Files | ||||||
 Relationships |
|
 Relationships |
|
Notes |
|
 (0016680)Borszczuk (reporter) 2008-01-16 16:15 edited on: 2008-01-16 16:16 |
See bug 0008723 for additional details |
 (0016684)giallu (developer) 2008-01-16 18:42 |
Actually, it does not need to take into account g_html_valid_tags, but just avoid showing them as is: this is an XSS vector so I'm moving the bug to the correct category |
|
(0016685) giallu (developer) 2008-01-16 18:51 |
Also fixed in trunk |
|
(0016854) giallu (developer) 2008-01-27 17:45 |
Security advisories: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0404 [^] http://secunia.com/advisories/28577/ [^] |
|
Notes |
| Related Changesets |
|||
|
MantisBT: master 294d34c3 Timestamp: 2008-01-16 23:50:45 Author: giallu [ Details ] [ Diff ] |
Fix 8756: "Most active bugs" summary XSS vulnerability git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@4897 [^] /?p=mantisbt.git;a=object;h=f5dc347c-c33d-0410-90a0-b07cc1902cb9 |
||
| mod - core/summary_api.php | [ Diff ] [ File ] | ||
|
MantisBT: master-1.1.x fabe3938 Timestamp: 2008-01-16 23:43:56 Author: giallu [ Details ] [ Diff ] |
Fix 8756: "Most active bugs" summary XSS vulnerability git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@4896 [^] /?p=mantisbt.git;a=object;h=f5dc347c-c33d-0410-90a0-b07cc1902cb9 |
||
| mod - core/summary_api.php | [ Diff ] [ File ] | ||
| Related Changesets |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2008-01-16 16:15 | Borszczuk | New Issue | |
| 2008-01-16 16:15 | Borszczuk | Note Added: 0016680 | |
| 2008-01-16 16:16 | Borszczuk | Note Edited: 0016680 | |
| 2008-01-16 18:42 | giallu | Note Added: 0016684 | |
| 2008-01-16 18:42 | giallu | Category | other => security |
| 2008-01-16 18:42 | giallu | Summary | "Summary/Most Acitve" does not pay much attention to config's g_html_valid_tags setting => "Most active bugs" summary XSS vulnerability |
| 2008-01-16 18:51 | giallu | Status | new => resolved |
| 2008-01-16 18:51 | giallu | Fixed in Version | => 1.1.1 |
| 2008-01-16 18:51 | giallu | Resolution | open => fixed |
| 2008-01-16 18:51 | giallu | Assigned To | => giallu |
| 2008-01-16 18:51 | giallu | Note Added: 0016685 | |
| 2008-01-19 04:24 | vboctor | Status | resolved => closed |
| 2008-01-27 17:45 | giallu | Note Added: 0016854 | |
| 2008-10-20 20:20 | Changeset attached | master-1.1.x a2e175f8 => | |
| 2008-10-21 11:46 | Changeset attached | master f8d9c650 => | |
| 2008-11-11 08:34 | giallu | Changeset attached | master 294d34c3 => |
| 2008-11-11 08:47 | giallu | Changeset attached | master 294d34c3 => |
| 2008-11-11 09:03 | giallu | Changeset attached | master-1.1.x fabe3938 => |
|
Issue History |
| MantisBT 1.2.0rc2 git live[^]
Copyright © 2000 - 2010 MantisBT Group
Time: 0.3280 seconds. memory usage: 1,827 KB |
 |