tiki-searchresults.php vulnerable to content injection

VERIFIED FIXED in 0.2

Status

support.mozilla.org
Knowledge Base Software
P1
critical
VERIFIED FIXED
11 years ago
2 years ago

People

(Reporter: rflint, Assigned: nkoth)

Tracking

unspecified

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: tiki_test, URL)

See the URL field for an example. This script currently doesn't sanitize quotes or HTML, allowing an attacker to display their own content in the search results.

Comment 1

11 years ago
Nelson, can you take a look at this?
Assignee: nobody → nelson
Priority: -- → P1
Target Milestone: --- → 0.2

Comment 2

11 years ago
Fixed in support-stage, will be included in the next sync.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED

Comment 3

11 years ago
Turns out this was fixed on support.mozilla.com already.
Status: RESOLVED → VERIFIED
Group: webtools-security → websites-security
Group: websites-security
Group: websites-security

Updated

9 years ago
Whiteboard: tiki_triage

Updated

8 years ago
Whiteboard: tiki_triage → tiki_test
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.