Skip to content

Commit 9b5b71d

Browse files
atroldregad
authored andcommitted
Fix XSS in manage_user_page.php (CVE-2017-12062)
trichimtrich (https://twitter.com/trichimtrich) reported this vulnerability, allowing an attacker to inject arbitrary code through a crafted 'filter' form variable. Prevent the attack by sanitizing the variable before output. Fixes #23166 Signed-off-by: Damien Regad <dregad@mantisbt.org>
1 parent 063cce6 commit 9b5b71d

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

Diff for: manage_user_page.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -272,7 +272,7 @@
272272
<input type="hidden" name="sort" value="<?php echo $c_sort ?>" />
273273
<input type="hidden" name="dir" value="<?php echo $c_dir ?>" />
274274
<input type="hidden" name="save" value="1" />
275-
<input type="hidden" name="filter" value="<?php echo $f_filter ?>" />
275+
<input type="hidden" name="filter" value="<?php echo string_attribute( $f_filter ); ?>" />
276276
<label class="inline">
277277
<input type="checkbox" class="ace" name="hideinactive" value="<?php echo ON ?>" <?php check_checked( (int)$c_hide_inactive, ON ); ?> />
278278
<span class="lbl"> <?php echo lang_get( 'hide_inactive' ) ?></span>

0 commit comments

Comments
 (0)