Dolibarr ERP & CRM » Bugs » bug #1437 Securitu IssueDernières modifications
Répondre
État| Détails |
| Last Modified On: | 20/06/2014 15:57 | | Submitted by: | HENRY Florian (fhenry) |
| Submitted on: | 04/06/2014 12:15 | |
| Summary: | Securitu Issue |
| Description: | Deepak Rathore address@hidden send to fundation by mail a security repport on Dolibarr |
| Step to reproduce bug: | Check attachement |
| Detected in version: | 3.5.2 | | Category: | Security |
| Severity: | 8 | | OS Type/Version: | |
| PHP version: | | | Database type and version: | |
| Etat |
| Status: | Closed | | Assigned to: | HENRY Florian (fhenry) |
| Resolution: | Fixed | |
Commentaires- Laurent Destailleur 20/06/2014 15:57
- The bug has been corrected inside GIT sources
(http://www.github.com/Dolibarr/dolibarr).
So fix should be available with next stable release. - Cedric GROSS 09/06/2014 16:47
- http://www.php.net/manual/fr/function.filter-input.php and so on could be a solution.
- HENRY Florian 09/06/2014 12:34
- Some of them can be fix, because GETPOST even with 'alpha' test do not
warn if input is
"2%2F0%2F1234%3cscript%3ealert%2893275%29%3c%2fscript%3e"
for exemple
I don't have magical solution for this kind of security issue
|
|
Open→ Closed