NOTE:: Before reporting an issue, make sure you are running the latest version, currently 3.3.1
|
NOTE:: Before reporting an issue, make sure you are running the latest version, currently 3.3.1 |
| Anonymous | Login | Signup for a new account | 28-07-17 13:50 BST |  |
| My View | View Issues | Change Log | Roadmap |
| View Issue Details [ Jump to Notes ] | [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0015341 | phplist application | Interface - Frontend | public | 29-09-09 18:24 | 19-04-10 19:18 | ||||
| Reporter | dhartford | ||||||||
| Priority | normal | Severity | major | Reproducibility | always | ||||
| Status | resolved | Resolution | fixed | ||||||
| Platform | OS | OS Version | |||||||
| Product Version | 2.10.10 | ||||||||
| Target Version | 2.10.12 | Fixed in Version | 2.10.12 | ||||||
| Summary | 0015341: security - forgotpassword value not checked/eval'd | ||||||||
| Description | /lists/admin when entering value to send an email for 'forgot password', the value is not checked. Fix included in additional info. | ||||||||
| Additional Information | /lists/admin/index.php, under the if isset($_REQUEST["forgotpassword"]).... #====php 5.1.6 tested fix - filter_var only works on installs with php > 5.2 $parsedforgotpassword = $_REQUEST["forgotpassword"]; $email_regex = '^[a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.([a-zA-Z]{2,4})$'; if(!eregi($email_regex, $parsedforgotpassword)){ logEvent(sprintf('Invalid forgotpassword email entered from %s.', $_SERVER['REMOTE_ADDR'])); $page="login"; $msg="invalid email supplied"; }else{ ....normal code.... } #end of email validation check | ||||||||
| Tags | No tags attached. | ||||||||
| Attached Files | |||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
|
 Relationships |
|
Notes |
|
|
(0050928) michiel (manager) 19-04-10 19:18 |
we already have the is_email function for that, so used that one |
|
Notes |
| Copyright © 2000 - 2017 MantisBT Team |
 |