View Issue Details

IDProjectCategoryView StatusLast Update
0011261mantisbtsecuritypublic2010-02-22 14:34
Reporterdhx Assigned Todhx  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.0 
Target Version1.2.0Fixed in Version1.2.0 
Summary0011261: Don't rely on MantisCoreFormatting to provide string sanitisation for HTML output that can occur prior to plugins loading
Description

print_project_menu_bar() is called when an error occurs in MantisBT (to produce the HTML output for the error page). At this point of time, MantisCoreFormatting may not be loaded by MantisBT and therefore the stringdisplay* sanitisation functions won't be executed. Thus we must force the use of a the string_html_specialchars() function to ensure that these strings are safely sanitised even when MantisCoreFormatting isn't loaded.

TagsNo tags attached.

Activities

dhx

dhx

2009-12-06 10:56

reporter   ~0023865

Steps to reproduce:

<dhx_m> nuclear_eclipse: I can reproduce it again in a different place
<dhx_m> click "Update" at the bottom of manage_plugin_page.php
<dhx_m> when you have ON == config_get( 'show_project_menu_bar'
<dhx_m> my menu bar looks like:
<dhx_m> All Projects | TestA<script>alert(52);</script>: 1.1<script>alert(57);</script>: 1.1.1 | TestB
<dhx_m> and I get an alert popup for both 52 and 57
<dhx_m> I reset my local copy to Siebrand's last commit 964915c9db27702a4a42eb10117539350e9e4e02
<dhx_m> the projects in other words are "TestA<script>alert(52);</script>"
<dhx_m> and under that, a subproject "1.1<script>alert(57);</script>"

Related Changesets

MantisBT: master-1.2.x ca638c79

2009-12-06 06:42

dhx


Details Diff
Fix 0011261: XSS in error output as MantisCoreFormatting isn't loaded

print_project_menu_bar() is called when an error occurs in MantisBT (to
produce the HTML output for the error page). At this point of time,
MantisCoreFormatting may not be loaded by MantisBT and therefore the
string_display_* sanitisation functions won't be executed. Thus we must
force the use of a the string_html_specialchars() function to ensure
that these strings are safely sanitised even when MantisCoreFormatting
isn't loaded (yet).
Affected Issues
0011261
mod - core/html_api.php Diff File

MantisBT: master 26e2d3b6

2009-12-06 06:42

dhx


Details Diff
Fix 0011261: XSS in error output as MantisCoreFormatting isn't loaded

print_project_menu_bar() is called when an error occurs in MantisBT (to
produce the HTML output for the error page). At this point of time,
MantisCoreFormatting may not be loaded by MantisBT and therefore the
string_display_* sanitisation functions won't be executed. Thus we must
force the use of a the string_html_specialchars() function to ensure
that these strings are safely sanitised even when MantisCoreFormatting
isn't loaded (yet).
Affected Issues
0011261
mod - core/html_api.php Diff File