View Issue Details

IDProjectCategoryView StatusLast Update
0027444mantisbtsecuritypublic2020-12-30 07:37
Reporteriohex Assigned Toatrol  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version2.24.3 
Target Version2.24.4Fixed in Version2.24.4 
Summary0027444: Printing unsanitized user input in install.php
Description

in the install.php line: 1522, the $f_admin_username will echo as a html tag's attribute, but is not use string_attribute() before echo.

  • version: 2.24.3
  • path: admin/install.php
  • sink: line-1522 echo $f_admin_username
  • source: line-216 gpc_get('admin_username')
  • fix: echo string_attribute($f_admin_username)
TagsNo tags attached.

Activities

atrol

atrol

2020-10-28 07:00

developer   ~0064598

Thanks @iohex for reporting the issue.

PR https://github.com/mantisbt/mantisbt/pull/1708

Related Changesets

MantisBT: master-2.24 ab37fe37

2020-10-28 06:53:57

atrol

Details Diff
Sanitize admin username in install.php

Fixes 0027444
Affected Issues
0027444
mod - admin/install.php Diff File