Search Changesets
MantisBT: master-1.2.x 5068df2d 2016-06-06 14:25 Details Diff |
Fix XSS in custom fields management Kacper Szurek (http://security.szurek.pl/) discovered an XSS vulnerability in Custom fields management pages, caused by unescaped output of 'return URL' GPC parameter. His report describes two ways to exploit this issue: 1. using 'accesskey' inside hidden input field (see [1]) reflects XSS to the administrator in manage_custom_field_edit_page.php when the keyboard shortcut is actioned 2. using 'javascript:' URI scheme executes the code when the user clicks the [Proceed] link on manage_custom_field_update.php after updating a custom field This commit fixes both attack vectors: - properly escape the return URL prior to printing it on the hidden form field - let html_operation_successful() sanitize the URL before displaying it, just like html_meta_redirect() does. In this case, if the string contains an URI scheme, it will be replaced by 'index.php' [1] http://blog.portswigger.net/2015/11/xss-in-hidden-input-fields.html Fixes 0020956 This is a backport from master 3f2779b4c6dc8d465fb73c08cfa1d806184d2e79. |
Affected Issues 0020956 |
|
mod - account_prefs_update.php | Diff File | ||
mod - manage_config_revert.php | Diff File | ||
mod - manage_custom_field_delete.php | Diff File | ||
mod - manage_custom_field_update.php | Diff File | ||
mod - print_all_bug_options_update.php | Diff File | ||
mod - set_project.php | Diff File |