From: c dot r dot l dot f at yandex dot ru Operating system: All PHP version: Irrelevant Package: Website problem Bug Type: Bug Bug description:Reflected XSS via POST on /mailing-lists.php
Description: ------------ Hello. Bug: <?php echo $_POST['email']; ?> Patch: <?php echo clean($_POST['email']); ?> Affects php.net and secure.php.net Tested in Firefox 58.0.2 Test script: --------------- php.net: https://alt3r.eg0.ru/p0c5/de9ececaebcc76ad516415249ee555dd.html secure.php.net: https://alt3r.eg0.ru/p0c5/cd12b353bf6159000c195d28da29bbd6.html -- Edit bug report at https://bugs.php.net/bug.php?id=76087&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=76087&r=trysnapshot54 Try a snapshot (PHP 5.5): https://bugs.php.net/fix.php?id=76087&r=trysnapshot55 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=76087&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=76087&r=fixed Fixed in release: https://bugs.php.net/fix.php?id=76087&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=76087&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=76087&r=needscript Try newer version: https://bugs.php.net/fix.php?id=76087&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=76087&r=support Expected behavior: https://bugs.php.net/fix.php?id=76087&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=76087&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=76087&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=76087&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=76087&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=76087&r=dst IIS Stability: https://bugs.php.net/fix.php?id=76087&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=76087&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=76087&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=76087&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=76087&r=mysqlcfg -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php