Piwigo Bugtracker

Viewing Issue Advanced Details Jump to Notes ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0002234 [Piwigo] security major always 2011.03.29 00:11 2011.09.30 10:18
Reporter LucMorizur View Status public  
Assigned To Pat
Priority normal Resolution fixed Platform Any
Status closed   OS Any
Projection none   OS Version Any
ETA none Fixed in Version 2.1.7 Product Version 2.2.0RC4
  Target Version Product Build
Summary 0002234: HTML characters are allowed in username
Description If you create an account with following username:

P<script>window.open('http://piwigo.org');</script> [^]

then the page http://piwigo.org [^] will be opened when this username is displayed, at least in administration pages (could not make that happen in public pages).
Steps To Reproduce Create an account with following username:

P<script>window.open('http://piwigo.org');</script> [^]

and look at users management pages.
Additional Information
Tags No tags attached.
browser any
Database engine and version
PHP version
Web server Apache 1.3.x
Attached Files

- Relationships

-  Notes
(0004919)
svn (reporter)
2011.03.29 21:30

[Subversion] r9923 by patdenice on trunk

-----[Subversion commit log]----------------------------------------------------
bug:2234
HTML characters are allowed in username
(0004920)
svn (reporter)
2011.03.29 21:59

[Subversion] r9929 by patdenice on branch 2.1

-----[Subversion commit log]----------------------------------------------------
merge r9923 from trunk to branch 2.1
bug:2234
HTML characters are allowed in username

- Issue History
Date Modified Username Field Change
2011.03.29 00:11 LucMorizur New Issue
2011.03.29 00:11 LucMorizur browser => any
2011.03.29 00:11 LucMorizur Web server => Apache 1.3.x
2011.03.29 21:30 Pat Status new => assigned
2011.03.29 21:30 Pat Assigned To => Pat
2011.03.29 21:30 svn Checkin
2011.03.29 21:30 svn Note Added: 0004919
2011.03.29 21:59 svn Checkin
2011.03.29 21:59 svn Note Added: 0004920
2011.03.29 22:01 Pat Status assigned => resolved
2011.03.29 22:01 Pat Fixed in Version => 2.1.7
2011.03.29 22:01 Pat Resolution open => fixed
2011.09.30 10:18 plg Status resolved => closed


Mantis 1.1.6[^]
Copyright © 2000 - 2008 Mantis Group
Contact
Powered by Mantis Bugtracker