| Anonymous | Login | Signup for a new account | 21-11-09 01:08 GMT |
| Main | My View | View Issues | Change Log | Roadmap | Docs |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Print ] | |||||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | |||||||
| 0015341 | [phplist] Interface - Frontend | major | always | 29-09-09 17:24 | 29-10-09 20:37 | |||||||
| Reporter | dhartford | View Status | public | |||||||||
| Assigned To | ||||||||||||
| Priority | normal | Resolution | open | |||||||||
| Status | assigned | Product Version | 2.10.10 | |||||||||
| Summary | 0015341: security - forgotpassword value not checked/eval'd | |||||||||||
| Description |
/lists/admin when entering value to send an email for 'forgot password', the value is not checked. Fix included in additional info. |
|||||||||||
| Additional Information |
/lists/admin/index.php, under the if isset($_REQUEST["forgotpassword"]).... #====php 5.1.6 tested fix - filter_var only works on installs with php > 5.2 $parsedforgotpassword = $_REQUEST["forgotpassword"]; $email_regex = '^[a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.([a-zA-Z]{2,4})$'; if(!eregi($email_regex, $parsedforgotpassword)){ logEvent(sprintf('Invalid forgotpassword email entered from %s.', $_SERVER['REMOTE_ADDR'])); $page="login"; $msg="invalid email supplied"; }else{ ....normal code.... } #end of email validation check |
|||||||||||
| Tags | No tags attached. | |||||||||||
| Attached Files | ||||||||||||
|
|
||||||||||||
 Relationships |
|
| There are no notes attached to this issue. |
