Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <m47u3q$edk$1@ger.gmane.org>
Date: Sat, 15 Nov 2014 17:13:46 +0100
From: Damien Regad <dregad@...tisbt.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: XSS vulnerability in MantisBT 1.2.13

On 2014-11-15 16:30, Paul Richards wrote:
> However, I believe the fix for first issue to be incorrect (hence helping
> me misunderstanding the initial issue):
>
> The initial fix adds a string_display_line call to an <input> box. Given
> that this processes the string for display in html, and there is a
> string_attribute api call for handling data for display in a text box, I
> believe that the fix for the other  issue is incorrect and
> that string_attribute should be used instead of string_display_line (which
> may do other formatting to the string which may be undesirable when editing
> configuration values).

Thanks for catching this mistake Paul. I have:

- reverted the original fix commit with incorrect string_display_line()
   https://github.com/mantisbt/mantisbt/commit/1bdc16e5

- pushed a new fix with string_attribute()
   https://github.com/mantisbt/mantisbt/commit/49c3d089

@CVE assign authority - please let me know the ID for this issue, and 
update the data from my initial request accordingly.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.