MantisBT: master-1.3.x 17f9b94f

Author Committer Branch Timestamp Parent
dregad dregad master-1.3.x 2017-08-01 03:00 master-1.3.x b78fd043
Affected Issues  0023146: CVE-2017-12061: XSS in /admin/install.php script
 0023175: CVE-2017-12061: XSS in /admin/install.php script
Changeset

Fix XSS in install.php (CVE-2017-12061)

aLLy from ONSEC (https://twitter.com/IamSecurity) reported this
vulnerability, allowing an attacker to inject arbitrary code through
crafted forms variables.

Sanitizing the database error message prior to output prevents the
attack.

Fixes 0023146

Backported from c73ae3d3d4dd4681489a9e697e8ade785e27cba5

mod - admin/install.php Diff File