php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #66930 PHP Version dropdown allows any value
Submitted: 2014-03-18 21:27 UTC Modified: 2016-09-29 13:51 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: mot+php at tom dot be Assigned: cmb (profile)
Status: Not a bug Package: Website problem
PHP Version: 5.7-Your-Mother OS: Any
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: mot+php at tom dot be
New email:
PHP Version: OS:

 

 [2014-03-18 21:27 UTC] mot+php at tom dot be 
Description:
------------
You can easely tamper with the value of the PHP Version of this bug-report website by using the Chrome development console or FireBug.

Appearently, there's no input validation on that field.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-03-27 05:20 UTC] levim@php.net 
I'm really not concerned about this; by design people with @php.net accounts can write whatever they want in that field anyway. We should probably double check to make sure we aren't vulnerable to any attacks this way, though.
 [2016-09-29 13:51 UTC] cmb@php.net
-Status: Open +Status: Not a bug -Assigned To: +Assigned To: cmb
 [2016-09-29 13:51 UTC] cmb@php.net 
> We should probably double check to make sure we aren't
> vulnerable to any attacks this way, though.

The DB access uses prepared statements and the output is escaped
by htmlspecialchars(). Seems to be sufficient.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Jul 02 16:01:37 2025 UTC