View Issue Details

IDProjectCategoryView StatusLast Update
0013191mantisbtsecuritypublic2014-09-23 18:05
Reporterrombert Assigned Tograngeway  
PriorityurgentSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.6 
Target Version1.2.8Fixed in Version1.2.8 
Summary0013191: XSS vulnerability dues to usage of PHP_SELF
Description

I received the following email from Paulino Calderon <calderon@websec.mx>

Hi,

It seems your not sanitazing PHP's PHPSELF variable making all your pages vulnerable to cross site scripting attacks.

PoC:
http://www.mantisbt.org/bugs/plugin.php/333%22%20onerror=%22alert%28document.cookie%29%22%20/%3E?page=ManTweet/index.php

TagsNo tags attached.

Relationships

related to 0013281 closeddhx MantisBT Security Vulnerabilities Notification 
related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 

Activities

rombert

rombert

2011-07-31 03:26

reporter   ~0029327

Reminder sent to: daryn, dhx, giallu, grangeway, jreese, vboctor

Not sure if you can see private issues, so adding as monitors.

dhx

dhx

2011-07-31 04:00

reporter   ~0029328

nginx not affected.

This issue only impacts MantisBT operating on web servers which take the request:
http://www.mantisbt.org/bugs/plugin.php/333%22%20onerror=%22alert%28document.cookie%29%22%20/%3E?page=ManTweet/index.php

Look to see if the following file or directory exists:
http://www.mantisbt.org/bugs/plugin.php/333%22%20onerror=%22alert%28document.cookie%29%22%20/%3E

When it doesn't, it strips the URL down to:
http://www.mantisbt.org/bugs/plugin.php

Which exists, and therefore plugin.php is executed.

dhx

dhx

2011-07-31 07:41

reporter   ~0029329

We need to get rid of instances of PHP_SELF and force administrators to set the path themselves. I don't see any other way to do this safely, while taking into account the possibility for a HttpRewrite module within a web server translating paths outside of MantisBT's control.

I believe the issue is inside config_defaults_inc.php where we set path variables automatically based on PHP_SELF.

rombert

rombert

2011-07-31 08:21

reporter   ~0029330

Couldn't we simply 'unescape' PH_SELF when setting the path? I'm not familiar with the matter but requiring administrators to manually set this configuration path would be a step backwards in usability.

rombert

rombert

2011-08-01 14:52

reporter   ~0029340

cldrn is Paul Calderon, the original reporter of the bug.

rombert

rombert

2011-08-31 09:22

reporter   ~0029604

I'm a bit surprised we released 1.2.7 without this security fix, which is real and exploitable on MantisBT.org. I've taken a closer look at the code in config_defaults_inc.php . The usage of $_SERVER['PHP_SELF'] is limited to the calculation of $g_short_path.

I would suggest that we escape $_SERVER['PHP_SELF'], and add an upgrade / installation note regarding it. Administrators with special needs can simply set $g_short_path manually in config_inc.php.

How does that sound?

dhx

dhx

2011-09-03 23:50

reporter   ~0029635

Paul has fixed this in the master branch. I have backported the fix to the 1.2.x branch ready for a 1.2.8 release.

High-Tech Bridge Security Research Lab has also discovered and reported this issue in 0013281.

Thanks Paulino for reporting this issue - and apologies for the delay in resolving the matter.

grangeway

grangeway

2013-04-05 17:57

reporter   ~0036407

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master 57c94485

2011-08-29 06:55

Paul Richards


Details Diff
Fix issue introduced previously whereby php_Self is now used unchecked.

introduced previously by john attempting to fix symlinks. Since we now use php 5.2, we can make use of filter_var.

This is a simpler version of what we were trying to do previously aka http://git.mantisforge.org/w/mantisbt.git?a=commitdiff;h=5ac1fdf32717d0c82cca7e7660dd4fd316a6a1b8

Depending on server/mantis config this can lead to XSS issues
Affected Issues
0013191, 0013281
mod - config_defaults_inc.php Diff File

MantisBT: master-1.2.x d00745f5

2011-08-29 06:55

Paul Richards

Committer: dhx


Details Diff
Fix issue introduced previously whereby php_Self is now used unchecked.

introduced previously by john attempting to fix symlinks. Since we now use php 5.2, we can make use of filter_var.

This is a simpler version of what we were trying to do previously aka http://git.mantisforge.org/w/mantisbt.git?a=commitdiff;h=5ac1fdf32717d0c82cca7e7660dd4fd316a6a1b8

Depending on server/mantis config this can lead to XSS issues

David: Backported from master branch and removed unreachable code branch.

Signed-off-by: David Hicks <d@hx.id.au>
Affected Issues
0013191, 0013281
mod - config_defaults_inc.php Diff File

MantisBT: master-1.2.x e679a1c0

2011-09-05 02:36

dhx


Details Diff
Fix 0013191: Prevent further XSS issues relating to PHP_SELF

Silvia Alvarez (Debian package manager for MantisBT) has performed
additional testing of patch d00745f5e267eba4ca34286d125de685bc3a8034
and discovered that the XSS problems surrounding the use of
$_SERVER['PHP_SELF'] have not been fully fixed.

The form_action_self() function also used $_SERVER['PHP_SELF']
(retrieving the basename() component of the file name). Callees of this
function did not escape this file name prior to printing it in the
'action' attribute of <form> elements.

This patch swaps out PHP_SELF for SCRIPT_NAME (much safer as end users
have no control over the value) and also applies escaping to the
'action' attribute of relevant <form> elements.

Refer to Debian bug report #640297 [1] and dicussion on the mantisbt-dev
mailing list for further details.

Thank you Sils for the detailed analysis of the problem, detailed
report, proposed solutions and extensive testing of patches for the
latest round of vulnerabilities discovered.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640297
Affected Issues
0013191
mod - billing_inc.php Diff File
mod - bugnote_stats_inc.php Diff File
mod - core/authentication_api.php Diff File
mod - core/form_api.php Diff File
mod - core/helper_api.php Diff File
mod - manage_config_email_page.php Diff File
mod - manage_config_work_threshold_page.php Diff File
mod - manage_config_workflow_page.php Diff File

MantisBT: master 033a5045

2013-09-25 23:57

dregad


Details Diff
Prevent XSS issues relating to PHP_SELF

Selectively porting the security fixes for issue 0013191 from dhx's
original commit e679a1c02978ba1b811959dedc358598fc595458, following the
reintroduction of the form_action_self() function in master branch to
fix issue 0016410.
Affected Issues
0013191, 0016410
mod - core/form_api.php Diff File
mod - manage_config_email_page.php Diff File
mod - manage_config_work_threshold_page.php Diff File
mod - manage_config_workflow_page.php Diff File