Edit report at https://bugs.php.net/bug.php?id=66930&edit=1
ID: 66930 Updated by: [email protected] Reported by: mot+php at tom dot be Summary: PHP Version dropdown allows any value -Status: Open +Status: Not a bug Type: Bug Package: Website problem Operating System: Any PHP Version: 5.7-Your-Mother -Assigned To: +Assigned To: cmb Block user comment: N Private report: N New Comment: > We should probably double check to make sure we aren't > vulnerable to any attacks this way, though. The DB access uses prepared statements and the output is escaped by htmlspecialchars(). Seems to be sufficient. Previous Comments: ------------------------------------------------------------------------ [2014-03-27 05:20:36] [email protected] I'm really not concerned about this; by design people with @php.net accounts can write whatever they want in that field anyway. We should probably double check to make sure we aren't vulnerable to any attacks this way, though. ------------------------------------------------------------------------ [2014-03-18 21:27:43] mot+php at tom dot be Description: ------------ You can easely tamper with the value of the PHP Version of this bug-report website by using the Chrome development console or FireBug. Appearently, there's no input validation on that field. ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=66930&edit=1 -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
