php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66930 PHP Version dropdown allows any value
Submitted: 2014-03-18 21:27 UTC Modified: 2016-09-29 13:51 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: mot+php at tom dot be Assigned: cmb (profile)
Status: Not a bug Package: Website problem
PHP Version: 5.7-Your-Mother OS: Any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mot+php at tom dot be
New email:
PHP Version: OS:

 

 [2014-03-18 21:27 UTC] mot+php at tom dot be
Description:
------------
You can easely tamper with the value of the PHP Version of this bug-report website by using the Chrome development console or FireBug.

Appearently, there's no input validation on that field.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-03-27 05:20 UTC] levim@php.net
I'm really not concerned about this; by design people with @php.net accounts can write whatever they want in that field anyway. We should probably double check to make sure we aren't vulnerable to any attacks this way, though.
 [2016-09-29 13:51 UTC] cmb@php.net
-Status: Open +Status: Not a bug -Assigned To: +Assigned To: cmb
 [2016-09-29 13:51 UTC] cmb@php.net
> We should probably double check to make sure we aren't
> vulnerable to any attacks this way, though.

The DB access uses prepared statements and the output is escaped
by htmlspecialchars(). Seems to be sufficient.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Tue Dec 06 17:05:53 2022 UTC