View Issue Details

IDProjectCategoryView StatusLast Update
0000148WackoWikisecuritypublic2012-02-22 18:25
ReporterFreeman Assigned ToTann San  
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Product Version4.2 
Target Version4.3.rcFixed in Version4.3.rc 
Summary0000148: comments XSS-vulnerability
Descriptionfixed comments XSS-vulnerability
TagsNo tags attached.
Attached Files
some_bug_fix.diff (533 bytes)   
diff -puraN wacko.r4.2/handlers/page/addcomment.php dist/handlers/page/addcomment.php
--- wacko.r4.2/handlers/page/addcomment.php	2004-10-28 20:26:04.000000000 +0400
+++ dist/handlers/page/addcomment.php	2005-07-16 00:59:55.000000000 +0400
@@ -14,7 +14,7 @@ if ($this->HasAccess("comment"))
   }
 
   $body = trim($_POST["body"]);
-  echo "Comment".$num."<p>".$body."<p>".$this->tag;
+ // echo "Comment".$num."<p>".$body."<p>".$this->tag;
   if (!$body)
   {
     $this->SetMessage($this->GetResourceValue("EmptyComment"));
some_bug_fix.diff (533 bytes)   

Relationships

related to 0000160 resolvedTann San comments won't take the ACL settings of the page 

Activities

Tann San

2008-04-18 14:14

manager   ~0000316

No longer echos the value, which was pointless anyway since it does a redirect straight away.

Issue History

Date Modified Username Field Change
2008-01-10 11:44 administrator New Issue
2008-01-10 11:44 administrator Status new => assigned
2008-01-10 11:44 administrator Assigned To => Tann San
2008-01-10 11:44 administrator File Added: some_bug_fix.diff
2008-01-10 11:44 administrator Legacy => NEW
2008-01-10 11:45 administrator Reporter administrator => Freeman
2008-04-06 15:36 administrator Relationship added related to 0000160
2008-04-18 14:13 Tann San Status assigned => resolved
2008-04-18 14:13 Tann San Fixed in Version => 5.0.0
2008-04-18 14:13 Tann San Resolution open => fixed
2008-04-18 14:14 Tann San Note Added: 0000316
2009-08-19 09:22 administrator Fixed in Version 5.0.0 => 4.3.rc
2009-08-19 09:39 administrator Target Version 5.0.0 => 4.3.rc
2010-03-08 10:22 administrator Category Security => security
2012-02-22 18:25 administrator View Status private => public