php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #16312 (SECURITY) Non-CVS users can set statys to anything (including Critical)
Submitted: 2002-03-27 11:30 UTC Modified: 2002-05-12 14:01 UTC
From: nopman at hackermail dot com Assigned:
Status: Closed Package: Website problem
PHP Version: 4.1.2 OS: Unix
Private report: No CVE-ID: None
 [2002-03-27 11:30 UTC] nopman at hackermail dot com
I read the sources of this error reporting page and found
out that you correctly provide list of available
State-options, but you do not validate the input.

So one can make their own form and add there to be options
for Critical,Analyzed etc.

I'm pretty sure that it works, but i'll test it with this report.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-03-27 11:33 UTC] nopman at hackermail dot com
Trying to set this as Critical.

"NopMan"
 [2002-03-27 11:34 UTC] nopman at hackermail dot com
Damn!! It worked!!!!
 [2002-03-27 12:39 UTC] sander@php.net
Hm... another bug in this system... you can also fake @php.net addresses.
This is critical indeed :)
 [2002-05-12 13:18 UTC] derick@php.net
TOUCH
 [2002-05-12 14:01 UTC] jimw@php.net
This bug has been fixed in CVS. You can grab a snapshot of the
CVS version at http://snaps.php.net/. In case this was a documentation 
problem, the fix will show up soon at http://www.php.net/manual/. 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Oct 04 15:01:28 2024 UTC