| Anonymous | Login | Signup for a new account | 2013-05-25 04:03 EDT |  |
| Main | My View | View Issues | Change Log | Roadmap | Wiki | ManTweet | Repositories |
| View Issue Details [ Jump to Notes ] [ Wiki ] [ Related Changesets ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0011229 | mantisbt | security | public | 2009-11-30 11:28 | 2010-04-23 23:22 | ||||
| Reporter | marboi | ||||||||
| Assigned To | dhx | ||||||||
| Priority | urgent | Severity | major | Reproducibility | always | ||||
| Status | closed | Resolution | fixed | ||||||
| Platform | OS | OS Version | |||||||
| Product Version | 1.1.8 | ||||||||
| Target Version | 1.1.9 | Fixed in Version | 1.1.9 | ||||||
| Summary | 0011229: XSS on /view_all_bug_page.php?tag_string=<XSS> | ||||||||
| Description | Bad filtering on tag_string parameter of view_all_bugs.php Javascript injection is possible. | ||||||||
| Steps To Reproduce | Enter something like: /view_all_bug_page.php?tag_string=</td><script>alert(42);</script><td> If the popup does not appear, check the HTML source, the Javascript might be invalid for this browser -- this works with Firefox 3.5 | ||||||||
| Additional Information | found again by Nessus | ||||||||
| Tags | No tags attached. | ||||||||
| Attached Files | |||||||||
 Relationships |
|
 Relationships |
|
Notes |
|
 (0023829)dhx (developer) 2009-11-30 20:37 |
Thanks for reporting this issue Michel. It should now be fixed in all branches of Mantis. However I don't use 1.1.x so I haven't tested the backport of my patch against 1.1.x. If anyone is reading this note and would like to test against 1.1.x, please let me know if it works OK. I also discovered a bunch of XSS errors relating to tags on tag_view_page.php and tag_update_page.php so if you'd like to test that too, do the following: 1) Get a vulnerable version of Mantis 2) Create a new tag "</td><script>alert(42);</script><td>" 3) Go to manage_tags_page.php and select the tag you just created 4) See if you get an alert message 5) Click on the "Update tag" button 6) See if you get an alert message 7) Go to view_all_bug_page.php 8) Select the tag you just created from the tag selection dropdown in the filter form 9) Check to make sure that the tag you created displays correctly within the dropdown option list and that no text is outside the dropdown list The tagging code in Mantis isn't pretty, but I've tried my best to find instances where tags are being printed to the user via HTML output and confirm that they're sanitising the tags correctly. |
|
Notes |
| Related Changesets |
|||
|
MantisBT: master-1.2.x d36359cf
Timestamp: 2009-12-01 00:56:46 Author: dhx [ Details ] [ Diff ] |
Fix 0011229: Fix tagging XSS scripting vulnerabilities Tag names and descriptions were not properly sanitised before being written to HTML output. This meant that it was possible for users to create tags containing Javascript that is executed on every load of view_all_bug_page (and elsewhere) for all users. Thanks to Michel Arboi from Tenable Network Security (Nessus) for reporting this issue. |
||
| mod - tag_update_page.php | [ Diff ] [ File ] | ||
| mod - core/filter_api.php | [ Diff ] [ File ] | ||
| mod - tag_view_page.php | [ Diff ] [ File ] | ||
| mod - core/print_api.php | [ Diff ] [ File ] | ||
|
MantisBT: master 70b5022f
Timestamp: 2009-12-01 00:56:46 Author: dhx [ Details ] [ Diff ] |
Fix 0011229: Fix tagging XSS scripting vulnerabilities Tag names and descriptions were not properly sanitised before being written to HTML output. This meant that it was possible for users to create tags containing Javascript that is executed on every load of view_all_bug_page (and elsewhere) for all users. Thanks to Michel Arboi from Tenable Network Security (Nessus) for reporting this issue. |
||
| mod - core/print_api.php | [ Diff ] [ File ] | ||
| mod - core/filter_api.php | [ Diff ] [ File ] | ||
| mod - tag_update_page.php | [ Diff ] [ File ] | ||
| mod - tag_view_page.php | [ Diff ] [ File ] | ||
|
MantisBT: master-1.1.x c6f356da
Timestamp: 2009-12-01 01:29:53 Author: dhx [ Details ] [ Diff ] |
Fix 0011229: Fix tagging XSS scripting vulnerabilities Tag names and descriptions were not properly sanitised before being written to HTML output. This meant that it was possible for users to create tags containing Javascript that is executed on every load of view_all_bug_page (and elsewhere) for all users. Thanks to Michel Arboi from Tenable Network Security (Nessus) for reporting this issue. This is a backport of 70b5022f556c9b9b6b0cd661e3357767a3b178c5 |
||
| mod - tag_update_page.php | [ Diff ] [ File ] | ||
| mod - tag_view_page.php | [ Diff ] [ File ] | ||
| mod - core/print_api.php | [ Diff ] [ File ] | ||
| mod - core/filter_api.php | [ Diff ] [ File ] | ||
| Related Changesets |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2009-11-30 11:28 | marboi | New Issue | |
| 2009-11-30 18:25 | dhx | Status | new => assigned |
| 2009-11-30 18:25 | dhx | Assigned To | => dhx |
| 2009-11-30 18:25 | dhx | Target Version | => 1.1.9 |
| 2009-11-30 20:10 | dhx | Resolution | open => fixed |
| 2009-11-30 20:10 | dhx | Fixed in Version | => 1.3.x |
| 2009-11-30 20:10 | dhx | Changeset attached | master-1.2.x d36359cf => |
| 2009-11-30 20:10 | dhx | Changeset attached | master 70b5022f => |
| 2009-11-30 20:37 | dhx | Note Added: 0023829 | |
| 2009-11-30 20:37 | dhx | Status | assigned => resolved |
| 2009-11-30 20:37 | dhx | Fixed in Version | 1.3.x => 1.1.9 |
| 2009-11-30 20:40 | dhx | Changeset attached | master-1.1.x c6f356da => |
| 2010-04-23 23:22 | dhx | Status | resolved => closed |
|
Issue History |
| MantisBT 1.2.16dev master-1.2.x-8c2bd07 [^]
Copyright © 2000 - 2013 MantisBT Team
Time: 0.1529 seconds. memory usage: 2,803 KB |
|