2014-12-17 19:47 EST

View Issue Details Jump to Notes ] Wiki ] Related Changesets ]
IDProjectCategoryView StatusLast Update
0015373mantisbtsecuritypublic2014-09-23 18:05
ReporterHauntIT 
Assigned Todhx 
PriorityimmediateSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
Product Version1.2.12 
Target Version1.2.13Fixed in Version1.2.13 
Summary0015373: CVE-2013-0197 XSS vulnerability with match_type filter
DescriptionHauntIT blog reported a persistent XSS vulnerability in MantisBT 1.2.12, which exists for admin user, but possibly for other users and in other parts of the application as well.

http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html [^]

Additional information requested from blog author.
TagsNo tags attached.
Attached Files
  • png file icon 4damien01.png (64,676 bytes) 2013-01-18 04:58 - 
    png file icon 4damien01.png (64,676 bytes) 2013-01-18 04:58 + 
  • png file icon 4damien02.png (75,493 bytes) 2013-01-18 04:58 - 
    png file icon 4damien02.png (75,493 bytes) 2013-01-18 04:58 + 
  • patch file icon master-1.2.x_0001-Fix-15373-match_type-XSS-vulnerability.patch (1,532 bytes) 2013-01-18 06:35 - 
    From bbc6b4f3ea8d0a53ae8c44e4218df6675a4e5fdf Mon Sep 17 00:00:00 2001
    From: David Hicks <d@hx.id.au>
    Date: Fri, 18 Jan 2013 21:43:21 +1100
    Subject: [PATCH] Fix #15373: match_type XSS vulnerability
    
    Jakub Galczyk discovered[1] a cross site scripting (XSS)
    vulnerability in MantisBT 1.2.12 and earlier versions that allows a
    malicious person to trick the browser of a target user into executing
    arbitrary JavaScript via the URL: search.php?match_type="><script...
    
    This vulnerability is particularly wide reaching due to search.php being
    usable by anonymous users on public facing installations of MantisBT (no
    user account required).
    
    The value of the "match_type" filter parameter is now correctly
    sanitised prior to use in the HTML output displaying the current filter
    settings.
    
    [1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html
    ---
     core/filter_api.php | 2 +-
     1 file changed, 1 insertion(+), 1 deletion(-)
    
    diff --git a/core/filter_api.php b/core/filter_api.php
    index 2286ff0..ce2ca4f 100644
    --- a/core/filter_api.php
    +++ b/core/filter_api.php
    @@ -3400,7 +3400,7 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e
     					echo lang_get ('filter_match_all');
     				}
     			?>
    -			<input type="hidden" name="match_type" value="<?php echo $t_filter[FILTER_PROPERTY_MATCH_TYPE]?>"/>
    +			<input type="hidden" name="match_type" value="<?php echo string_attribute( $t_filter[FILTER_PROPERTY_MATCH_TYPE] )?>"/>
     			</td>
     			<td colspan="6">&#160;</td>
     		</tr>
    -- 
    1.8.1.1
    
    
  • patch file icon master_0001-Fix-15373-match_type-XSS-vulnerability.patch (1,534 bytes) 2013-01-18 06:35 - 
    From f5ac454eb63fde102347a021a2af0c535033d572 Mon Sep 17 00:00:00 2001
    From: David Hicks <d@hx.id.au>
    Date: Fri, 18 Jan 2013 21:43:21 +1100
    Subject: [PATCH] Fix #15373: match_type XSS vulnerability
    
    Jakub Galczyk discovered[1] a cross site scripting (XSS)
    vulnerability in MantisBT 1.2.12 and earlier versions that allows a
    malicious person to trick the browser of a target user into executing
    arbitrary JavaScript via the URL: search.php?match_type="><script...
    
    This vulnerability is particularly wide reaching due to search.php being
    usable by anonymous users on public facing installations of MantisBT (no
    user account required).
    
    The value of the "match_type" filter parameter is now correctly
    sanitised prior to use in the HTML output displaying the current filter
    settings.
    
    [1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html
    ---
     core/filter_api.php | 2 +-
     1 file changed, 1 insertion(+), 1 deletion(-)
    
    diff --git a/core/filter_api.php b/core/filter_api.php
    index 37f6d04..e6b7c99 100644
    --- a/core/filter_api.php
    +++ b/core/filter_api.php
    @@ -3395,7 +3395,7 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e
     					echo lang_get ('filter_match_all');
     				}
     			?>
    -			<input type="hidden" name="match_type" value="<?php echo $t_filter[FILTER_PROPERTY_MATCH_TYPE]?>"/>
    +			<input type="hidden" name="match_type" value="<?php echo string_attribute( $t_filter[FILTER_PROPERTY_MATCH_TYPE] )?>"/>
     			</td>
     			<td colspan="6">&#160;</td>
     		</tr>		
    -- 
    1.8.1.1
    
    

- Relationships
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 
related to 0015388closeddregad Update the match_type parameter to be XSS-safe by itself 
+ Relationships

-  Notes
User avatar

~0034813

HauntIT (reporter)

Hi, Damien asked me to write here more details about this vulnerability, so below is a short description of how to reproduce this bug.

Another good 'point of view' is to check 2 screens I've uploaded.

match_type parameter is vulnerable to persistent XSS.
Code used as a payload was alert() function from JavaScript.

Feel free to ask if you need any thing more with this case. :)

Cheers o/
User avatar

~0034814

dhx (reporter)

Confirmed with live URL:
http://www.mantisbt.org/bugs/search.php?sticky_issues=1&sortby=last_updated&dir=DESC&hide_status_id=90&match_type="><script>alert(1)</script> [^]
User avatar

~0034815

dregad (developer)

Last edited: 2013-01-18 05:44

View 2 revisions

@rombert, the match_type parameter [1] was introduced as part of your commit 5b491868 (or filter logic).

Is there any particular reason for using gpc_get_string here ? Since the filter type can only be a preset list of integer values as defined by constants (FILTER_MATCH_*), I would say gpc_get_int would be more appropriate, no ?

Let me know your thoughts.

[1] https://github.com/mantisbt/mantisbt/blame/master-1.2.x/view_all_set.php#L205 [^]

User avatar

~0034816

dhx (reporter)

Thanks for reporting this issue Jakub. Patched with a quick fix for now. Refer to Damien's comment about why gpc_get_string is being called for more detailed information about a better solution.

A CVE ID has been requested from the oss-security mailing list and we should hopefully have a mantisbt-1.2.13 build rolled out very soon.
User avatar

~0034818

rombert (developer)

(In reply to comment 0015373:0034815)
> @rombert, the match_type parameter [1] was introduced as part of your commit
> 5b491868 (or filter logic).
>
> Is there any particular reason for using gpc_get_string here ? Since the filter
> type can only be a preset list of integer values as defined by constants
> (FILTER_MATCH_*), I would say gpc_get_int would be more appropriate, no ?
>
> Let me know your thoughts.
>
> [1]
> https://github.com/mantisbt/mantisbt/blame/master-1.2.x/view_all_set.php#L205 [^]

Damien, I've updated the code to use gpc_get_int and the XSS vulnerability is gone.

All - let me know if the fix is proper, or I'll rework it if needed. Thanks for the rapid reaction and sorry for introducing the vulnerability.
User avatar

~0034822

dhx (reporter)

CVE-2013-0197 was assigned to this vulnerability on the oss-security mailing list.
User avatar

~0034823

dregad (developer)

@dhx

It would appear that my e-mail from this morning to the oss-security list has still not been posted - not sure if it's awaiting moderation or if it got lost somewhere in Internet Limbo (tm)

Just in case, you might want to inform them that CVE-2013-0197 only applies to 1.2.12, and not to earlier versions.
User avatar

~0034840

dregad (developer)

Follow-up fix based on 0015373:0034815 can be found in 0015388.
User avatar

~0036124

grangeway (reporter)

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch
+  Notes

- Related Changesets
MantisBT: master f5ac454e
Timestamp: 2013-01-18 10:43:21
Author: dhx
Details ] Diff ]
Fix 0015373: match_type XSS vulnerability

Jakub Galczyk discovered[1] a cross site scripting (XSS)
vulnerability in MantisBT 1.2.12 and earlier versions that allows a
malicious person to trick the browser of a target user into executing
arbitrary JavaScript via the URL: search.php?match_type="><script...

This vulnerability is particularly wide reaching due to search.php being
usable by anonymous users on public facing installations of MantisBT (no
user account required).

The value of the "match_type" filter parameter is now correctly
sanitised prior to use in the HTML output displaying the current filter
settings.

[1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html [^]
mod - core/filter_api.php Diff ] File ]
MantisBT: master-1.2.x bbc6b4f3
Timestamp: 2013-01-18 10:43:21
Author: dhx
Details ] Diff ]
Fix 0015373: match_type XSS vulnerability

Jakub Galczyk discovered[1] a cross site scripting (XSS)
vulnerability in MantisBT 1.2.12 and earlier versions that allows a
malicious person to trick the browser of a target user into executing
arbitrary JavaScript via the URL: search.php?match_type="><script...

This vulnerability is particularly wide reaching due to search.php being
usable by anonymous users on public facing installations of MantisBT (no
user account required).

The value of the "match_type" filter parameter is now correctly
sanitised prior to use in the HTML output displaying the current filter
settings.

[1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html [^]
mod - core/filter_api.php Diff ] File ]
MantisBT: master-1.2.x 610da6ec
Timestamp: 2013-01-18 20:22:30
Author: rombert
Details ] Diff ]
filter api: always treat FILTER_PROPERTY_MATCH_TYPE as an int value

Based on @dregad's comments, this follows up on @dhx's fix.

Fixes 0015373: XSS vulnerability
mod - core/filter_api.php Diff ] File ]
mod - view_all_set.php Diff ] File ]
MantisBT: master 45f9e746
Timestamp: 2013-01-18 20:22:30
Author: rombert
Details ] Diff ]
filter api: always treat FILTER_PROPERTY_MATCH_TYPE as an int value

Based on @dregad's comments, this follows up on @dhx's fix.

Fixes 0015373: XSS vulnerability
mod - core/filter_api.php Diff ] File ]
mod - view_all_set.php Diff ] File ]

+ Related Changesets

- Issue History
Date Modified Username Field Change
2013-01-16 05:03 dregad New Issue
2013-01-16 06:21 dregad Reporter dregad => HauntIT
2013-01-16 06:22 dregad Status new => acknowledged
2013-01-18 04:58 HauntIT File Added: 4damien01.png
2013-01-18 04:58 HauntIT File Added: 4damien02.png
2013-01-18 05:00 HauntIT Note Added: 0034813
2013-01-18 05:39 dhx Note Added: 0034814
2013-01-18 05:42 dregad Note Added: 0034815
2013-01-18 05:44 dregad Note Edited: 0034815 View Revisions
2013-01-18 05:45 dregad Status acknowledged => confirmed
2013-01-18 06:31 dhx Changeset attached => MantisBT master f5ac454e
2013-01-18 06:31 dhx Assigned To => dhx
2013-01-18 06:31 dhx Status confirmed => resolved
2013-01-18 06:31 dhx Resolution open => fixed
2013-01-18 06:31 dhx Fixed in Version => 1.3.0-beta.1
2013-01-18 06:32 dhx Changeset attached => MantisBT master-1.2.x bbc6b4f3
2013-01-18 06:35 dhx File Added: master-1.2.x_0001-Fix-15373-match_type-XSS-vulnerability.patch
2013-01-18 06:35 dhx File Added: master_0001-Fix-15373-match_type-XSS-vulnerability.patch
2013-01-18 06:39 dhx Note Added: 0034816
2013-01-18 06:39 dhx Priority normal => immediate
2013-01-18 06:39 dhx Severity minor => major
2013-01-18 06:39 dhx Fixed in Version 1.3.0-beta.1 => 1.2.13
2013-01-18 06:39 dhx View Status private => public
2013-01-18 15:29 rombert Changeset attached => MantisBT master-1.2.x 610da6ec
2013-01-18 15:29 rombert Changeset attached => MantisBT master 45f9e746
2013-01-18 15:31 rombert Note Added: 0034818
2013-01-18 18:26 dhx Note Added: 0034822
2013-01-18 18:26 dhx Summary XSS vulnerability => CVE-2013-0197 XSS vulnerability with match_type filter
2013-01-18 19:19 dregad Note Added: 0034823
2013-01-21 04:03 dregad Relationship added related to 0015388
2013-01-21 04:05 dregad Note Added: 0034840
2013-01-22 09:47 dregad Status resolved => closed
2013-04-05 17:56 grangeway Status closed => acknowledged
2013-04-05 17:56 grangeway Note Added: 0036124
2013-04-05 19:31 grangeway Relationship added related to 0015721
2013-04-06 03:39 dregad Status acknowledged => resolved
2013-04-06 07:20 grangeway Status resolved => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check
+ Issue History