Piwigo bug tracker has moved to Github
This bugtracker is kept to provide history on old issues.
Anonymous | Login | Signup for a new account | 2018.04.23 02:10 CEST | ![]() |
My View | View Issues | Change Log | Roadmap |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0002280 | Piwigo | security | public | 2011.04.26 13:25 | 2011.05.31 22:34 | ||||
Reporter | stim | ||||||||
Assigned To | plg | ||||||||
Priority | high | Severity | minor | Reproducibility | always | ||||
Status | closed | Resolution | fixed | ||||||
Platform | OS | OS Version | |||||||
Product Version | 2.2.1 | ||||||||
Target Version | 2.2.2 | Fixed in Version | 2.2.2 | ||||||
Summary | 0002280: Input of language on profile pages is not verified | ||||||||
Description | By manipulation of the profile form it is possible to insert bogus values for the language field into the database. Instead, the disered behaviour would be to reject or ignore the incorrect input. | ||||||||
Steps To Reproduce | Open edit profile page. Change the language field to a text-type input. Change to anything you like. This will be updated in the database. | ||||||||
Tags | No tags attached. | ||||||||
browser | any | ||||||||
Database engine and version | |||||||||
PHP version | |||||||||
Web server | Apache 1.3.x | ||||||||
Attached Files | |||||||||
![]() |
|
(0005054) stim (reporter) 2011.04.26 13:35 |
Particularly nasty because of a bug in AMM see 0002281 |
(0005056) stim (reporter) 2011.04.26 13:49 |
Same holds for theme selection. Maybe all drop down boxes are vulnerable? |
(0005168) svn (reporter) 2011.05.31 22:32 |
[Subversion] r11157 by plg on branch 2.2 -----[Subversion commit log]---------------------------------------------------- bug 2280 fixed: check language and theme values before updating database. The posted value must match an expected value, this is not a free texfield. |
(0005169) svn (reporter) 2011.05.31 22:32 |
[Subversion] r11159 by plg on trunk -----[Subversion commit log]---------------------------------------------------- merge r11157 from branch 2.2 to trunk bug 2280 fixed: check language and theme values before updating database. The posted value must match an expected value, this is not a free texfield. |
![]() |
|||
Date Modified | Username | Field | Change |
2011.04.26 13:25 | stim | New Issue | |
2011.04.26 13:25 | stim | browser | => any |
2011.04.26 13:25 | stim | Web server | => Apache 1.3.x |
2011.04.26 13:35 | stim | Note Added: 0005054 | |
2011.04.26 13:49 | stim | Note Added: 0005056 | |
2011.04.27 15:32 | plg | Assigned To | => plg |
2011.04.27 15:32 | plg | Status | new => assigned |
2011.04.27 15:32 | plg | Target Version | => 2.2.2 |
2011.05.31 22:32 | svn | Checkin | |
2011.05.31 22:32 | svn | Note Added: 0005168 | |
2011.05.31 22:32 | svn | Checkin | |
2011.05.31 22:32 | svn | Note Added: 0005169 | |
2011.05.31 22:34 | plg | Priority | normal => high |
2011.05.31 22:34 | plg | Status | assigned => closed |
2011.05.31 22:34 | plg | Resolution | open => fixed |
2011.05.31 22:34 | plg | Fixed in Version | => 2.2.2 |
Copyright © 2000 - 2018 MantisBT Team Contact |