0013191: XSS vulnerability dues to usage of PHP_SELF

(0029327)
rombert (developer)
2011-07-31 03:26

Reminder sent to: daryn, dhx, giallu, grangeway, jreese, vboctor

Not sure if you can see private issues, so adding as monitors.

(0029328)
dhx (developer)
2011-07-31 04:00

nginx not affected.

This issue only impacts MantisBT operating on web servers which take the request:
http://www.mantisbt.org/bugs/plugin.php/333%22%20onerror=%22alert%28document.cookie%29%22%20/%3E?page=ManTweet/index.php [^]

Look to see if the following file or directory exists:
http://www.mantisbt.org/bugs/plugin.php/333%22%20onerror=%22alert%28document.cookie%29%22%20/%3E [^]

When it doesn't, it strips the URL down to:
http://www.mantisbt.org/bugs/plugin.php [^]

Which exists, and therefore plugin.php is executed.

(0029329)
dhx (developer)
2011-07-31 07:41

We need to get rid of instances of PHP_SELF and force administrators to set the path themselves. I don't see any other way to do this safely, while taking into account the possibility for a HttpRewrite module within a web server translating paths outside of MantisBT's control.

I believe the issue is inside config_defaults_inc.php where we set path variables automatically based on PHP_SELF.

(0029330)
rombert (developer)
2011-07-31 08:21

Couldn't we simply 'unescape' PH_SELF when setting the path? I'm not familiar with the matter but requiring administrators to manually set this configuration path would be a step backwards in usability.

(0029340)
rombert (developer)
2011-08-01 14:52

cldrn is Paul Calderon, the original reporter of the bug.

(0029604)
rombert (developer)
2011-08-31 09:22

I'm a bit surprised we released 1.2.7 without this security fix, which is real and exploitable on MantisBT.org. I've taken a closer look at the code in config_defaults_inc.php . The usage of $_SERVER['PHP_SELF'] is limited to the calculation of $g_short_path.

I would suggest that we escape $_SERVER['PHP_SELF'], and add an upgrade / installation note regarding it. Administrators with special needs can simply set $g_short_path manually in config_inc.php.

How does that sound?

(0029635)
dhx (developer)
2011-09-03 23:50

Paul has fixed this in the master branch. I have backported the fix to the 1.2.x branch ready for a 1.2.8 release.

High-Tech Bridge Security Research Lab has also discovered and reported this issue in 0013281.

Thanks Paulino for reporting this issue - and apologies for the delay in resolving the matter.

(0036407)
grangeway (developer)
2013-04-05 17:57

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets
MantisBT: master 57c94485 Timestamp: 2011-08-29 10:55:14 Author: Paul Richards [ Details ] [ Diff ]	Fix issue introduced previously whereby php_Self is now used unchecked. introduced previously by john attempting to fix symlinks. Since we now use php 5.2, we can make use of filter_var. This is a simpler version of what we were trying to do previously aka http://git.mantisforge.org/w/mantisbt.git?a=commitdiff;h=5ac1fdf32717d0c82cca7e7660dd4fd316a6a1b8 [^] Depending on server/mantis config this can lead to XSS issues
	mod - config_defaults_inc.php	[ Diff ] [ File ]

MantisBT: master-1.2.x d00745f5 Timestamp: 2011-08-29 10:55:14 Author: Paul Richards Committer: dhx [ Details ] [ Diff ]	Fix issue introduced previously whereby php_Self is now used unchecked. introduced previously by john attempting to fix symlinks. Since we now use php 5.2, we can make use of filter_var. This is a simpler version of what we were trying to do previously aka http://git.mantisforge.org/w/mantisbt.git?a=commitdiff;h=5ac1fdf32717d0c82cca7e7660dd4fd316a6a1b8 [^] Depending on server/mantis config this can lead to XSS issues David: Backported from master branch and removed unreachable code branch. Signed-off-by: David Hicks <d@hx.id.au>
	mod - config_defaults_inc.php	[ Diff ] [ File ]

MantisBT: master-1.2.x e679a1c0 Timestamp: 2011-09-05 06:36:39 Author: dhx [ Details ] [ Diff ]	Fix 0013191: Prevent further XSS issues relating to PHP_SELF Silvia Alvarez (Debian package manager for MantisBT) has performed additional testing of patch d00745f5e267eba4ca34286d125de685bc3a8034 and discovered that the XSS problems surrounding the use of $_SERVER['PHP_SELF'] have not been fully fixed. The form_action_self() function also used $_SERVER['PHP_SELF'] (retrieving the basename() component of the file name). Callees of this function did not escape this file name prior to printing it in the 'action' attribute of <form> elements. This patch swaps out PHP_SELF for SCRIPT_NAME (much safer as end users have no control over the value) and also applies escaping to the 'action' attribute of relevant <form> elements. Refer to Debian bug report #640297 [1] and dicussion on the mantisbt-dev mailing list for further details. Thank you Sils for the detailed analysis of the problem, detailed report, proposed solutions and extensive testing of patches for the latest round of vulnerabilities discovered. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640297 [^]
	mod - billing_inc.php	[ Diff ] [ File ]
	mod - bugnote_stats_inc.php	[ Diff ] [ File ]
	mod - core/authentication_api.php	[ Diff ] [ File ]
	mod - core/form_api.php	[ Diff ] [ File ]
	mod - core/helper_api.php	[ Diff ] [ File ]
	mod - manage_config_email_page.php	[ Diff ] [ File ]
	mod - manage_config_work_threshold_page.php	[ Diff ] [ File ]
	mod - manage_config_workflow_page.php	[ Diff ] [ File ]

Issue History
Date Modified	Username	Field	Change
2011-07-31 03:25	rombert	New Issue
2011-07-31 03:26	rombert	Note Added: 0029327
2011-07-31 04:00	dhx	Note Added: 0029328
2011-07-31 07:41	dhx	Note Added: 0029329
2011-07-31 07:41	dhx	Status	new => confirmed
2011-07-31 08:21	rombert	Note Added: 0029330
2011-07-31 08:21	rombert	Description Updated	View Revisions
2011-08-01 14:52	rombert	Note Added: 0029340
2011-08-22 10:49	jreese	Target Version	1.2.7 => 1.2.8
2011-08-31 09:22	rombert	Note Added: 0029604
2011-09-03 23:44	dhx	Relationship added	related to 0013281
2011-09-03 23:44	dhx	Assigned To	=> grangeway
2011-09-03 23:44	dhx	Status	confirmed => assigned
2011-09-03 23:44	dhx	Product Version	=> 1.2.6
2011-09-03 23:44	dhx	Description Updated	View Revisions
2011-09-03 23:48	dhx	Changeset attached	=> MantisBT master-1.2.x d00745f5
2011-09-03 23:49	dhx	Changeset attached	=> MantisBT master 57c94485
2011-09-03 23:50	dhx	Note Added: 0029635
2011-09-03 23:50	dhx	Status	assigned => resolved
2011-09-03 23:50	dhx	Fixed in Version	=> 1.2.8
2011-09-03 23:50	dhx	Resolution	open => fixed
2011-09-04 00:01	dhx	View Status	private => public
2011-09-05 09:55	dhx	Changeset attached	=> MantisBT master-1.2.x e679a1c0
2011-09-06 10:34	jreese	Status	resolved => closed
2013-04-05 17:57	grangeway	Status	closed => acknowledged
2013-04-05 17:57	grangeway	Note Added: 0036407
2013-04-05 18:12	grangeway	Relationship added	related to 0015721
2013-04-06 03:43	dregad	Status	acknowledged => closed
2013-04-06 07:23	grangeway	Status	closed => acknowledged
2013-04-06 09:22	dregad	Tag Attached: 2.0.x check
2013-04-06 09:23	dregad	Status	acknowledged => closed

Notes
(0029327) rombert (developer) 2011-07-31 03:26	Reminder sent to: daryn, dhx, giallu, grangeway, jreese, vboctor Not sure if you can see private issues, so adding as monitors.

(0029328) dhx (developer) 2011-07-31 04:00	nginx not affected. This issue only impacts MantisBT operating on web servers which take the request: http://www.mantisbt.org/bugs/plugin.php/333%22%20onerror=%22alert%28document.cookie%29%22%20/%3E?page=ManTweet/index.php [^] Look to see if the following file or directory exists: http://www.mantisbt.org/bugs/plugin.php/333%22%20onerror=%22alert%28document.cookie%29%22%20/%3E [^] When it doesn't, it strips the URL down to: http://www.mantisbt.org/bugs/plugin.php [^] Which exists, and therefore plugin.php is executed.

(0029329) dhx (developer) 2011-07-31 07:41	We need to get rid of instances of PHP_SELF and force administrators to set the path themselves. I don't see any other way to do this safely, while taking into account the possibility for a HttpRewrite module within a web server translating paths outside of MantisBT's control. I believe the issue is inside config_defaults_inc.php where we set path variables automatically based on PHP_SELF.

(0029330) rombert (developer) 2011-07-31 08:21	Couldn't we simply 'unescape' PH_SELF when setting the path? I'm not familiar with the matter but requiring administrators to manually set this configuration path would be a step backwards in usability.

(0029340) rombert (developer) 2011-08-01 14:52	cldrn is Paul Calderon, the original reporter of the bug.

(0029604) rombert (developer) 2011-08-31 09:22	I'm a bit surprised we released 1.2.7 without this security fix, which is real and exploitable on MantisBT.org. I've taken a closer look at the code in config_defaults_inc.php . The usage of $_SERVER['PHP_SELF'] is limited to the calculation of $g_short_path. I would suggest that we escape $_SERVER['PHP_SELF'], and add an upgrade / installation note regarding it. Administrators with special needs can simply set $g_short_path manually in config_inc.php. How does that sound?

(0029635) dhx (developer) 2011-09-03 23:50	Paul has fixed this in the master branch. I have backported the fix to the 1.2.x branch ready for a 1.2.8 release. High-Tech Bridge Security Research Lab has also discovered and reported this issue in 0013281. Thanks Paulino for reporting this issue - and apologies for the delay in resolving the matter.

(0036407) grangeway (developer) 2013-04-05 17:57	Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch