View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0011229 | mantisbt | security | public | 2009-11-30 11:28 | 2010-04-23 23:22 |
Reporter | marboi | Assigned To | dhx | ||
Priority | urgent | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.1.8 | ||||
Target Version | 1.1.9 | Fixed in Version | 1.1.9 | ||
Summary | 0011229: XSS on /view_all_bug_page.php?tag_string=<XSS> | ||||
Description | Bad filtering on tag_string parameter of view_all_bugs.php | ||||
Steps To Reproduce | Enter something like: If the popup does not appear, check the HTML source, the Javascript might be invalid for this browser -- this works with Firefox 3.5 | ||||
Additional Information | found again by Nessus | ||||
Tags | No tags attached. | ||||
Thanks for reporting this issue Michel. It should now be fixed in all branches of Mantis. However I don't use 1.1.x so I haven't tested the backport of my patch against 1.1.x. If anyone is reading this note and would like to test against 1.1.x, please let me know if it works OK. I also discovered a bunch of XSS errors relating to tags on tag_view_page.php and tag_update_page.php so if you'd like to test that too, do the following: 1) Get a vulnerable version of Mantis The tagging code in Mantis isn't pretty, but I've tried my best to find instances where tags are being printed to the user via HTML output and confirm that they're sanitising the tags correctly. |
|
MantisBT: master-1.2.x d36359cf 2009-11-30 19:56 Details Diff |
Fix 0011229: Fix tagging XSS scripting vulnerabilities Tag names and descriptions were not properly sanitised before being written to HTML output. This meant that it was possible for users to create tags containing Javascript that is executed on every load of view_all_bug_page (and elsewhere) for all users. Thanks to Michel Arboi from Tenable Network Security (Nessus) for reporting this issue. |
Affected Issues 0011229 |
|
mod - tag_update_page.php | Diff File | ||
mod - core/filter_api.php | Diff File | ||
mod - tag_view_page.php | Diff File | ||
mod - core/print_api.php | Diff File | ||
MantisBT: master 70b5022f 2009-11-30 19:56 Details Diff |
Fix 0011229: Fix tagging XSS scripting vulnerabilities Tag names and descriptions were not properly sanitised before being written to HTML output. This meant that it was possible for users to create tags containing Javascript that is executed on every load of view_all_bug_page (and elsewhere) for all users. Thanks to Michel Arboi from Tenable Network Security (Nessus) for reporting this issue. |
Affected Issues 0011229 |
|
mod - core/print_api.php | Diff File | ||
mod - core/filter_api.php | Diff File | ||
mod - tag_update_page.php | Diff File | ||
mod - tag_view_page.php | Diff File | ||
MantisBT: master-1.1.x c6f356da 2009-11-30 20:29 Details Diff |
Fix 0011229: Fix tagging XSS scripting vulnerabilities Tag names and descriptions were not properly sanitised before being written to HTML output. This meant that it was possible for users to create tags containing Javascript that is executed on every load of view_all_bug_page (and elsewhere) for all users. Thanks to Michel Arboi from Tenable Network Security (Nessus) for reporting this issue. This is a backport of 70b5022f556c9b9b6b0cd661e3357767a3b178c5 |
Affected Issues 0011229 |
|
mod - tag_update_page.php | Diff File | ||
mod - tag_view_page.php | Diff File | ||
mod - core/print_api.php | Diff File | ||
mod - core/filter_api.php | Diff File |