#4517 (ok 4.0.10.2) XSS in relation view

4.0.10
fixed
None
1
2014-08-23
2014-08-16
No

Steps:

1) Go to 'Relation view' of any table.
2) Create a Foreign key constraint.
3) When it asks for 'Constraint name', enter the following:

" /><script>alert("seep");</script><input type="hidden" value="

4) Click save. You will get a pop-up.

I think its because the $constraint_name variable (in concatenation) in tbl_realtion.lib.php file at line number 557 is not escaped.

Discussion

  • Isaac could reproduce this with QA_4_2 and QA_4_0, but not master

     
  • Marc Delisle
    Marc Delisle
    2014-08-17

    • private: Yes --> No
     
  • Marc Delisle
    Marc Delisle
    2014-08-17

    Confirmed.

     
  • Marc Delisle
    Marc Delisle
    2014-08-17

    • summary: XSS in relation view --> (ok 4.0.10.2) XSS in relation view
    • status: open --> fixed
    • assigned_to: Madhura Jayaratne
     
  • Marc Delisle
    Marc Delisle
    2014-08-17

    • Priority: 5 --> 1