Piwigo Bugtracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002280Piwigosecuritypublic2011.04.26 13:252011.05.31 22:34
Reporterstim 
Assigned Toplg 
PriorityhighSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.2.1 
Target Version2.2.2Fixed in Version2.2.2 
Summary0002280: Input of language on profile pages is not verified
DescriptionBy manipulation of the profile form it is possible to insert bogus values for the language field into the database.

Instead, the disered behaviour would be to reject or ignore the incorrect input.
Steps To ReproduceOpen edit profile page.
Change the language field to a text-type input.
Change to anything you like.
This will be updated in the database.
TagsNo tags attached.
browserany
Database engine and version
PHP version
Web serverApache 1.3.x
Attached Files

- Relationships

-  Notes
(0005054)
stim (reporter)
2011.04.26 13:35

Particularly nasty because of a bug in AMM see 0002281
(0005056)
stim (reporter)
2011.04.26 13:49

Same holds for theme selection.
Maybe all drop down boxes are vulnerable?
(0005168)
svn (reporter)
2011.05.31 22:32

[Subversion] r11157 by plg on branch 2.2

-----[Subversion commit log]----------------------------------------------------
bug 2280 fixed: check language and theme values before updating database. The
posted value must match an expected value, this is not a free texfield.
(0005169)
svn (reporter)
2011.05.31 22:32

[Subversion] r11159 by plg on trunk

-----[Subversion commit log]----------------------------------------------------
merge r11157 from branch 2.2 to trunk

bug 2280 fixed: check language and theme values before updating database. The
posted value must match an expected value, this is not a free texfield.


- Issue History
Date Modified Username Field Change
2011.04.26 13:25 stim New Issue
2011.04.26 13:25 stim browser => any
2011.04.26 13:25 stim Web server => Apache 1.3.x
2011.04.26 13:35 stim Note Added: 0005054
2011.04.26 13:49 stim Note Added: 0005056
2011.04.27 15:32 plg Assigned To => plg
2011.04.27 15:32 plg Status new => assigned
2011.04.27 15:32 plg Target Version => 2.2.2
2011.05.31 22:32 svn Checkin
2011.05.31 22:32 svn Note Added: 0005168
2011.05.31 22:32 svn Checkin
2011.05.31 22:32 svn Note Added: 0005169
2011.05.31 22:34 plg Priority normal => high
2011.05.31 22:34 plg Status assigned => closed
2011.05.31 22:34 plg Resolution open => fixed
2011.05.31 22:34 plg Fixed in Version => 2.2.2


Copyright © 2000 - 2015 MantisBT Team
Contact
Powered by Mantis Bugtracker