MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0015373mantisbtsecuritypublic2013-01-16 05:032014-09-23 18:05
ReporterHauntIT 
Assigned Todhx 
PriorityimmediateSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.12 
Target Version1.2.13Fixed in Version1.2.13 
Summary0015373: CVE-2013-0197 XSS vulnerability with match_type filter
DescriptionHauntIT blog reported a persistent XSS vulnerability in MantisBT 1.2.12, which exists for admin user, but possibly for other users and in other parts of the application as well.

http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html [^]

Additional information requested from blog author.
TagsNo tags attached.
Attached Filespng file icon 4damien01.png [^] (64,676 bytes) 2013-01-18 04:58


png file icon 4damien02.png [^] (75,493 bytes) 2013-01-18 04:58


patch file icon master-1.2.x_0001-Fix-15373-match_type-XSS-vulnerability.patch [^] (1,532 bytes) 2013-01-18 06:35 [Show Content]
patch file icon master_0001-Fix-15373-match_type-XSS-vulnerability.patch [^] (1,534 bytes) 2013-01-18 06:35 [Show Content]

- Relationships
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 
related to 0015388closeddregad Update the match_type parameter to be XSS-safe by itself 

-  Notes
User avatar (0034813)
HauntIT (reporter)
2013-01-18 05:00

Hi, Damien asked me to write here more details about this vulnerability, so below is a short description of how to reproduce this bug.

Another good 'point of view' is to check 2 screens I've uploaded.

match_type parameter is vulnerable to persistent XSS.
Code used as a payload was alert() function from JavaScript.

Feel free to ask if you need any thing more with this case. :)

Cheers o/
User avatar (0034814)
dhx (developer)
2013-01-18 05:39

Confirmed with live URL:
http://www.mantisbt.org/bugs/search.php?sticky_issues=1&sortby=last_updated&dir=DESC&hide_status_id=90&match_type="><script>alert(1)</script> [^]
User avatar (0034815)
dregad (developer)
2013-01-18 05:42
edited on: 2013-01-18 05:44

@rombert, the match_type parameter [1] was introduced as part of your commit 5b491868 (or filter logic).

Is there any particular reason for using gpc_get_string here ? Since the filter type can only be a preset list of integer values as defined by constants (FILTER_MATCH_*), I would say gpc_get_int would be more appropriate, no ?

Let me know your thoughts.

[1] https://github.com/mantisbt/mantisbt/blame/master-1.2.x/view_all_set.php#L205 [^]

User avatar (0034816)
dhx (developer)
2013-01-18 06:39

Thanks for reporting this issue Jakub. Patched with a quick fix for now. Refer to Damien's comment about why gpc_get_string is being called for more detailed information about a better solution.

A CVE ID has been requested from the oss-security mailing list and we should hopefully have a mantisbt-1.2.13 build rolled out very soon.
User avatar (0034818)
rombert (developer)
2013-01-18 15:31

(In reply to comment 0015373:0034815)
> @rombert, the match_type parameter [1] was introduced as part of your commit
> 5b491868 (or filter logic).
>
> Is there any particular reason for using gpc_get_string here ? Since the filter
> type can only be a preset list of integer values as defined by constants
> (FILTER_MATCH_*), I would say gpc_get_int would be more appropriate, no ?
>
> Let me know your thoughts.
>
> [1]
> https://github.com/mantisbt/mantisbt/blame/master-1.2.x/view_all_set.php#L205 [^]

Damien, I've updated the code to use gpc_get_int and the XSS vulnerability is gone.

All - let me know if the fix is proper, or I'll rework it if needed. Thanks for the rapid reaction and sorry for introducing the vulnerability.
User avatar (0034822)
dhx (developer)
2013-01-18 18:26

CVE-2013-0197 was assigned to this vulnerability on the oss-security mailing list.
User avatar (0034823)
dregad (developer)
2013-01-18 19:19

@dhx

It would appear that my e-mail from this morning to the oss-security list has still not been posted - not sure if it's awaiting moderation or if it got lost somewhere in Internet Limbo (tm)

Just in case, you might want to inform them that CVE-2013-0197 only applies to 1.2.12, and not to earlier versions.
User avatar (0034840)
dregad (developer)
2013-01-21 04:05

Follow-up fix based on 0015373:0034815 can be found in 0015388.
User avatar (0036124)
grangeway (developer)
2013-04-05 17:56

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

- Related Changesets
MantisBT: master f5ac454e
Timestamp: 2013-01-18 10:43:21
Author: dhx
Details ] Diff ]
Fix 0015373: match_type XSS vulnerability

Jakub Galczyk discovered[1] a cross site scripting (XSS)
vulnerability in MantisBT 1.2.12 and earlier versions that allows a
malicious person to trick the browser of a target user into executing
arbitrary JavaScript via the URL: search.php?match_type="><script...

This vulnerability is particularly wide reaching due to search.php being
usable by anonymous users on public facing installations of MantisBT (no
user account required).

The value of the "match_type" filter parameter is now correctly
sanitised prior to use in the HTML output displaying the current filter
settings.

[1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html [^]
mod - core/filter_api.php Diff ] File ]
MantisBT: master-1.2.x bbc6b4f3
Timestamp: 2013-01-18 10:43:21
Author: dhx
Details ] Diff ]
Fix 0015373: match_type XSS vulnerability

Jakub Galczyk discovered[1] a cross site scripting (XSS)
vulnerability in MantisBT 1.2.12 and earlier versions that allows a
malicious person to trick the browser of a target user into executing
arbitrary JavaScript via the URL: search.php?match_type="><script...

This vulnerability is particularly wide reaching due to search.php being
usable by anonymous users on public facing installations of MantisBT (no
user account required).

The value of the "match_type" filter parameter is now correctly
sanitised prior to use in the HTML output displaying the current filter
settings.

[1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html [^]
mod - core/filter_api.php Diff ] File ]
MantisBT: master-1.2.x 610da6ec
Timestamp: 2013-01-18 20:22:30
Author: rombert
Details ] Diff ]
filter api: always treat FILTER_PROPERTY_MATCH_TYPE as an int value

Based on @dregad's comments, this follows up on @dhx's fix.

Fixes 0015373: XSS vulnerability
mod - core/filter_api.php Diff ] File ]
mod - view_all_set.php Diff ] File ]
MantisBT: master 45f9e746
Timestamp: 2013-01-18 20:22:30
Author: rombert
Details ] Diff ]
filter api: always treat FILTER_PROPERTY_MATCH_TYPE as an int value

Based on @dregad's comments, this follows up on @dhx's fix.

Fixes 0015373: XSS vulnerability
mod - core/filter_api.php Diff ] File ]
mod - view_all_set.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2013-01-16 05:03 dregad New Issue
2013-01-16 06:21 dregad Reporter dregad => HauntIT
2013-01-16 06:22 dregad Status new => acknowledged
2013-01-18 04:58 HauntIT File Added: 4damien01.png
2013-01-18 04:58 HauntIT File Added: 4damien02.png
2013-01-18 05:00 HauntIT Note Added: 0034813
2013-01-18 05:39 dhx Note Added: 0034814
2013-01-18 05:42 dregad Note Added: 0034815
2013-01-18 05:44 dregad Note Edited: 0034815 View Revisions
2013-01-18 05:45 dregad Status acknowledged => confirmed
2013-01-18 06:31 dhx Changeset attached => MantisBT master f5ac454e
2013-01-18 06:31 dhx Assigned To => dhx
2013-01-18 06:31 dhx Status confirmed => resolved
2013-01-18 06:31 dhx Resolution open => fixed
2013-01-18 06:31 dhx Fixed in Version => 1.3.x
2013-01-18 06:32 dhx Changeset attached => MantisBT master-1.2.x bbc6b4f3
2013-01-18 06:35 dhx File Added: master-1.2.x_0001-Fix-15373-match_type-XSS-vulnerability.patch
2013-01-18 06:35 dhx File Added: master_0001-Fix-15373-match_type-XSS-vulnerability.patch
2013-01-18 06:39 dhx Note Added: 0034816
2013-01-18 06:39 dhx Priority normal => immediate
2013-01-18 06:39 dhx Severity minor => major
2013-01-18 06:39 dhx Fixed in Version 1.3.x => 1.2.13
2013-01-18 06:39 dhx View Status private => public
2013-01-18 15:29 rombert Changeset attached => MantisBT master-1.2.x 610da6ec
2013-01-18 15:29 rombert Changeset attached => MantisBT master 45f9e746
2013-01-18 15:31 rombert Note Added: 0034818
2013-01-18 18:26 dhx Note Added: 0034822
2013-01-18 18:26 dhx Summary XSS vulnerability => CVE-2013-0197 XSS vulnerability with match_type filter
2013-01-18 19:19 dregad Note Added: 0034823
2013-01-21 04:03 dregad Relationship added related to 0015388
2013-01-21 04:05 dregad Note Added: 0034840
2013-01-22 09:47 dregad Status resolved => closed
2013-04-05 17:56 grangeway Status closed => acknowledged
2013-04-05 17:56 grangeway Note Added: 0036124
2013-04-05 19:31 grangeway Relationship added related to 0015721
2013-04-06 03:39 dregad Status acknowledged => resolved
2013-04-06 07:20 grangeway Status resolved => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.1274 seconds.
memory usage: 3,154 KB
Powered by Mantis Bugtracker