2014-11-25 19:06 EST

View Issue Details Jump to Notes ] Wiki ] Related Changesets ]
IDProjectCategoryView StatusLast Update
0013191mantisbtsecuritypublic2014-09-23 18:05
Reporterrombert 
Assigned Tograngeway 
PriorityurgentSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
Product Version1.2.6 
Target Version1.2.8Fixed in Version1.2.8 
Summary0013191: XSS vulnerability dues to usage of PHP_SELF
DescriptionI received the following email from Paulino Calderon <calderon@websec.mx>

Hi,

It seems your not sanitazing PHP's PHPSELF variable making all your pages vulnerable to cross site scripting attacks.

PoC:
http://www.mantisbt.org/bugs/plugin.php/333%22%20onerror=%22alert%28document.cookie%29%22%20/%3E?page=ManTweet/index.php [^]
TagsNo tags attached.
Attached Files

- Relationships
related to 0013281closeddhx MantisBT Security Vulnerabilities Notification 
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 
+ Relationships

-  Notes
User avatar

~0029327

rombert (developer)

Reminder sent to: daryn, dhx, giallu, grangeway, jreese, vboctor

Not sure if you can see private issues, so adding as monitors.
User avatar

~0029328

dhx (reporter)

nginx not affected.

This issue only impacts MantisBT operating on web servers which take the request:
http://www.mantisbt.org/bugs/plugin.php/333%22%20onerror=%22alert%28document.cookie%29%22%20/%3E?page=ManTweet/index.php [^]

Look to see if the following file or directory exists:
http://www.mantisbt.org/bugs/plugin.php/333%22%20onerror=%22alert%28document.cookie%29%22%20/%3E [^]

When it doesn't, it strips the URL down to:
http://www.mantisbt.org/bugs/plugin.php [^]

Which exists, and therefore plugin.php is executed.
User avatar

~0029329

dhx (reporter)

We need to get rid of instances of PHP_SELF and force administrators to set the path themselves. I don't see any other way to do this safely, while taking into account the possibility for a HttpRewrite module within a web server translating paths outside of MantisBT's control.

I believe the issue is inside config_defaults_inc.php where we set path variables automatically based on PHP_SELF.
User avatar

~0029330

rombert (developer)

Couldn't we simply 'unescape' PH_SELF when setting the path? I'm not familiar with the matter but requiring administrators to manually set this configuration path would be a step backwards in usability.
User avatar

~0029340

rombert (developer)

cldrn is Paul Calderon, the original reporter of the bug.
User avatar

~0029604

rombert (developer)

I'm a bit surprised we released 1.2.7 without this security fix, which is real and exploitable on MantisBT.org. I've taken a closer look at the code in config_defaults_inc.php . The usage of $_SERVER['PHP_SELF'] is limited to the calculation of $g_short_path.

I would suggest that we escape $_SERVER['PHP_SELF'], and add an upgrade / installation note regarding it. Administrators with special needs can simply set $g_short_path manually in config_inc.php.

How does that sound?
User avatar

~0029635

dhx (reporter)

Paul has fixed this in the master branch. I have backported the fix to the 1.2.x branch ready for a 1.2.8 release.

High-Tech Bridge Security Research Lab has also discovered and reported this issue in 0013281.

Thanks Paulino for reporting this issue - and apologies for the delay in resolving the matter.
User avatar

~0036407

grangeway (reporter)

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch
+  Notes

- Related Changesets
MantisBT: master 57c94485
Timestamp: 2011-08-29 10:55:14
Author: Paul Richards
Details ] Diff ]
Fix issue introduced previously whereby php_Self is now used unchecked.

introduced previously by john attempting to fix symlinks. Since we now use php 5.2, we can make use of filter_var.

This is a simpler version of what we were trying to do previously aka http://git.mantisforge.org/w/mantisbt.git?a=commitdiff;h=5ac1fdf32717d0c82cca7e7660dd4fd316a6a1b8 [^]

Depending on server/mantis config this can lead to XSS issues
mod - config_defaults_inc.php Diff ] File ]
MantisBT: master-1.2.x d00745f5
Timestamp: 2011-08-29 10:55:14
Author: Paul Richards
Committer: dhx
Details ] Diff ]
Fix issue introduced previously whereby php_Self is now used unchecked.

introduced previously by john attempting to fix symlinks. Since we now use php 5.2, we can make use of filter_var.

This is a simpler version of what we were trying to do previously aka http://git.mantisforge.org/w/mantisbt.git?a=commitdiff;h=5ac1fdf32717d0c82cca7e7660dd4fd316a6a1b8 [^]

Depending on server/mantis config this can lead to XSS issues

David: Backported from master branch and removed unreachable code branch.

Signed-off-by: David Hicks <d@hx.id.au>
mod - config_defaults_inc.php Diff ] File ]
MantisBT: master-1.2.x e679a1c0
Timestamp: 2011-09-05 06:36:39
Author: dhx
Details ] Diff ]
Fix 0013191: Prevent further XSS issues relating to PHP_SELF

Silvia Alvarez (Debian package manager for MantisBT) has performed
additional testing of patch d00745f5e267eba4ca34286d125de685bc3a8034
and discovered that the XSS problems surrounding the use of
$_SERVER['PHP_SELF'] have not been fully fixed.

The form_action_self() function also used $_SERVER['PHP_SELF']
(retrieving the basename() component of the file name). Callees of this
function did not escape this file name prior to printing it in the
'action' attribute of <form> elements.

This patch swaps out PHP_SELF for SCRIPT_NAME (much safer as end users
have no control over the value) and also applies escaping to the
'action' attribute of relevant <form> elements.

Refer to Debian bug report #640297 [1] and dicussion on the mantisbt-dev
mailing list for further details.

Thank you Sils for the detailed analysis of the problem, detailed
report, proposed solutions and extensive testing of patches for the
latest round of vulnerabilities discovered.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640297 [^]
mod - billing_inc.php Diff ] File ]
mod - bugnote_stats_inc.php Diff ] File ]
mod - core/authentication_api.php Diff ] File ]
mod - core/form_api.php Diff ] File ]
mod - core/helper_api.php Diff ] File ]
mod - manage_config_email_page.php Diff ] File ]
mod - manage_config_work_threshold_page.php Diff ] File ]
mod - manage_config_workflow_page.php Diff ] File ]
MantisBT: master 033a5045
Timestamp: 2013-09-26 03:57:19
Author: dregad
Details ] Diff ]
Prevent XSS issues relating to PHP_SELF

Selectively porting the security fixes for issue 0013191 from dhx's
original commit e679a1c02978ba1b811959dedc358598fc595458, following the
reintroduction of the form_action_self() function in master branch to
fix issue 0016410.
mod - core/form_api.php Diff ] File ]
mod - manage_config_email_page.php Diff ] File ]
mod - manage_config_work_threshold_page.php Diff ] File ]
mod - manage_config_workflow_page.php Diff ] File ]

+ Related Changesets

- Issue History
Date Modified Username Field Change
2011-07-31 03:25 rombert New Issue
2011-07-31 03:26 rombert Note Added: 0029327
2011-07-31 04:00 dhx Note Added: 0029328
2011-07-31 07:41 dhx Note Added: 0029329
2011-07-31 07:41 dhx Status new => confirmed
2011-07-31 08:21 rombert Note Added: 0029330
2011-07-31 08:21 rombert Description Updated View Revisions
2011-08-01 14:52 rombert Note Added: 0029340
2011-08-22 10:49 jreese Target Version 1.2.7 => 1.2.8
2011-08-31 09:22 rombert Note Added: 0029604
2011-09-03 23:44 dhx Relationship added related to 0013281
2011-09-03 23:44 dhx Assigned To => grangeway
2011-09-03 23:44 dhx Status confirmed => assigned
2011-09-03 23:44 dhx Product Version => 1.2.6
2011-09-03 23:44 dhx Description Updated View Revisions
2011-09-03 23:48 dhx Changeset attached => MantisBT master-1.2.x d00745f5
2011-09-03 23:49 dhx Changeset attached => MantisBT master 57c94485
2011-09-03 23:50 dhx Note Added: 0029635
2011-09-03 23:50 dhx Status assigned => resolved
2011-09-03 23:50 dhx Fixed in Version => 1.2.8
2011-09-03 23:50 dhx Resolution open => fixed
2011-09-04 00:01 dhx View Status private => public
2011-09-05 09:55 dhx Changeset attached => MantisBT master-1.2.x e679a1c0
2011-09-06 10:34 jreese Status resolved => closed
2013-04-05 17:57 grangeway Status closed => acknowledged
2013-04-05 17:57 grangeway Note Added: 0036407
2013-04-05 18:12 grangeway Relationship added related to 0015721
2013-04-06 03:43 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2013-09-26 11:22 dregad Changeset attached => MantisBT master 033a5045
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check
+ Issue History