MantisBT: master-2.5 c73ae3d3

Diff Back to Repository
Author Committer Branch Timestamp Parent
dregad dregad master-2.5 2017-08-01 03:00 master-2.5 9b5b71da
Affected Issues  0023146: CVE-2017-12061: XSS in /admin/install.php script
Changeset

Fix XSS in install.php (CVE-2017-12061)

aLLy from ONSEC (https://twitter.com/IamSecurity) reported this
vulnerability, allowing an attacker to inject arbitrary code through
crafted forms variables.

Sanitizing the database error message prior to output prevents the
attack.

Fixes 0023146
mod - admin/install.php Diff File