0011229: XSS on /view_all_bug_page.php?tag_string=<XSS> - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0011229	mantisbt	security	public	2009-11-30 11:28	2010-04-23 23:22

Reporter	marboi	Assigned To	dhx
Priority	urgent	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.1.8
Target Version	1.1.9	Fixed in Version	1.1.9

Summary	0011229: XSS on /view_all_bug_page.php?tag_string=<XSS>
Description	Bad filtering on tag_string parameter of view_all_bugs.php Javascript injection is possible.
Steps To Reproduce	Enter something like: /view_all_bug_page.php?tag_string=</td><script>alert(42);</script><td> If the popup does not appear, check the HTML source, the Javascript might be invalid for this browser -- this works with Firefox 3.5
Additional Information	found again by Nessus
Tags	No tags attached.

dhx 2009-11-30 20:37 reporter ~0023829	Thanks for reporting this issue Michel. It should now be fixed in all branches of Mantis. However I don't use 1.1.x so I haven't tested the backport of my patch against 1.1.x. If anyone is reading this note and would like to test against 1.1.x, please let me know if it works OK. I also discovered a bunch of XSS errors relating to tags on tag_view_page.php and tag_update_page.php so if you'd like to test that too, do the following: 1) Get a vulnerable version of Mantis 2) Create a new tag "</td><script>alert(42);</script><td>" 3) Go to manage_tags_page.php and select the tag you just created 4) See if you get an alert message 5) Click on the "Update tag" button 6) See if you get an alert message 7) Go to view_all_bug_page.php 8) Select the tag you just created from the tag selection dropdown in the filter form 9) Check to make sure that the tag you created displays correctly within the dropdown option list and that no text is outside the dropdown list The tagging code in Mantis isn't pretty, but I've tried my best to find instances where tags are being printed to the user via HTML output and confirm that they're sanitising the tags correctly.

MantisBT: master-1.2.x d36359cf 2009-11-30 19:56 dhx Details Diff	Fix 0011229: Fix tagging XSS scripting vulnerabilities Tag names and descriptions were not properly sanitised before being written to HTML output. This meant that it was possible for users to create tags containing Javascript that is executed on every load of view_all_bug_page (and elsewhere) for all users. Thanks to Michel Arboi from Tenable Network Security (Nessus) for reporting this issue.		Affected Issues 0011229
	mod - tag_update_page.php		Diff File
	mod - core/filter_api.php		Diff File
	mod - tag_view_page.php		Diff File
	mod - core/print_api.php		Diff File
MantisBT: master 70b5022f 2009-11-30 19:56 dhx Details Diff	Fix 0011229: Fix tagging XSS scripting vulnerabilities Tag names and descriptions were not properly sanitised before being written to HTML output. This meant that it was possible for users to create tags containing Javascript that is executed on every load of view_all_bug_page (and elsewhere) for all users. Thanks to Michel Arboi from Tenable Network Security (Nessus) for reporting this issue.		Affected Issues 0011229
	mod - core/print_api.php		Diff File
	mod - core/filter_api.php		Diff File
	mod - tag_update_page.php		Diff File
	mod - tag_view_page.php		Diff File
MantisBT: master-1.1.x c6f356da 2009-11-30 20:29 dhx Details Diff	Fix 0011229: Fix tagging XSS scripting vulnerabilities Tag names and descriptions were not properly sanitised before being written to HTML output. This meant that it was possible for users to create tags containing Javascript that is executed on every load of view_all_bug_page (and elsewhere) for all users. Thanks to Michel Arboi from Tenable Network Security (Nessus) for reporting this issue. This is a backport of 70b5022f556c9b9b6b0cd661e3357767a3b178c5		Affected Issues 0011229
	mod - tag_update_page.php		Diff File
	mod - tag_view_page.php		Diff File
	mod - core/print_api.php		Diff File
	mod - core/filter_api.php		Diff File