NOTE:: Before reporting an issue, make sure you are running the latest version, currently 3.3.1

View Issue Details Jump to Notes ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0015341phplist applicationInterface - Frontendpublic29-09-09 18:2419-04-10 19:18
PlatformOSOS Version
Product Version2.10.10 
Target Version2.10.12Fixed in Version2.10.12 
Summary0015341: security - forgotpassword value not checked/eval'd
Description/lists/admin when entering value to send an email for 'forgot password', the value is not checked.

Fix included in additional info.
Additional Information/lists/admin/index.php, under the if isset($_REQUEST["forgotpassword"])....

#====php 5.1.6 tested fix - filter_var only works on installs with php > 5.2

$parsedforgotpassword = $_REQUEST["forgotpassword"];

$email_regex = '^[a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.([a-zA-Z]{2,4})$';

if(!eregi($email_regex, $parsedforgotpassword)){

   logEvent(sprintf('Invalid forgotpassword email entered from %s.', $_SERVER['REMOTE_ADDR']));


   $msg="invalid email supplied";


....normal code....

} #end of email validation check
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
michiel (manager)
19-04-10 19:18

we already have the is_email function for that, so used that one

Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker