MantisBT: master-1.2.x 5068df2d

Author Committer Branch Timestamp Parent
dregad dregad master-1.2.x 2016-06-06 14:25 master-1.2.x b8d5d85c
Affected Issues  0020956: CVE-2016-5364: Reflected XSS inside manage_custom_field_edit_page.php
Changeset

Fix XSS in custom fields management

Kacper Szurek (http://security.szurek.pl/) discovered an XSS
vulnerability in Custom fields management pages, caused by unescaped
output of 'return URL' GPC parameter. His report describes two ways to
exploit this issue:

  1. using 'accesskey' inside hidden input field (see [1]) reflects XSS to
    the administrator in manage_custom_field_edit_page.php when the
    keyboard shortcut is actioned
  2. using 'javascript:' URI scheme executes the code when the user clicks
    the [Proceed] link on manage_custom_field_update.php after updating
    a custom field

This commit fixes both attack vectors:

  • properly escape the return URL prior to printing it on the hidden form
    field
  • let html_operation_successful() sanitize the URL before displaying
    it, just like html_meta_redirect() does. In this case, if the
    string contains an URI scheme, it will be replaced by 'index.php'

[1] http://blog.portswigger.net/2015/11/xss-in-hidden-input-fields.html

Fixes 0020956

This is a backport from master 3f2779b4c6dc8d465fb73c08cfa1d806184d2e79.

mod - account_prefs_update.php Diff File
mod - manage_config_revert.php Diff File
mod - manage_custom_field_delete.php Diff File
mod - manage_custom_field_update.php Diff File
mod - print_all_bug_options_update.php Diff File
mod - set_project.php Diff File