View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0015384 | mantisbt | security | public | 2013-01-18 15:24 | 2014-09-23 18:05 |
Reporter | atrol | Assigned To | dhx | ||
Priority | urgent | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.12 | ||||
Target Version | 1.2.13 | Fixed in Version | 1.2.13 | ||
Summary | 0015384: CVE-2013-1810 XSS vulnerability on summary page | ||||
Description | Script is executed when viewing summary page and having a category with scripting code This has been introduced by a commit to resolve 0014677 I will attach a patch. | ||||
Steps To Reproduce |
| ||||
Tags | No tags attached. | ||||
Attached Files | fix15384.patch (1,858 bytes)
From 353c8741a797f56f1ae7df078b1dd7ceac49713e Mon Sep 17 00:00:00 2001 From: Roland Becker <roland@atrol.de> Date: Fri, 18 Jan 2013 21:24:13 +0100 Subject: [PATCH] Fix #15384 XSS vulnerability on summary page --- core/summary_api.php | 9 ++++++--- 1 files changed, 6 insertions(+), 3 deletions(-) diff --git a/core/summary_api.php b/core/summary_api.php index abdbbc4..638cabf 100644 --- a/core/summary_api.php +++ b/core/summary_api.php @@ -27,7 +27,10 @@ */ require_once( $g_absolute_path . 'config_filter_defaults_inc.php' ); -function summary_helper_print_row( $p_label, $p_open, $p_resolved, $p_closed, $p_total ) { +function summary_helper_print_row( $p_label, $p_open, $p_resolved, $p_closed, $p_total, $p_sanitize_label = true ) { + if ( $p_sanitize_label ) { + $p_label = string_display_line ( $p_label ); + } printf( '<tr %s>', helper_alternate_class() ); printf( '<td width="50%%">%s</td>', $p_label ); printf( '<td width="12%%" class="right">%s</td>', $p_open ); @@ -464,7 +467,7 @@ function summary_print_by_developer() { $t_bugs_total = $t_bug_link . '&' . FILTER_PROPERTY_HIDE_STATUS_ID . '=">' . $t_bugs_total . '</a>'; } - summary_helper_print_row( $t_user, $t_bugs_open, $t_bugs_resolved, $t_bugs_closed, $t_bugs_total ); + summary_helper_print_row( $t_user, $t_bugs_open, $t_bugs_resolved, $t_bugs_closed, $t_bugs_total, false ); $t_bugs_open = 0; $t_bugs_resolved = 0; @@ -501,7 +504,7 @@ function summary_print_by_developer() { $t_bugs_total = $t_bug_link . '&' . FILTER_PROPERTY_HIDE_STATUS_ID . '=">' . $t_bugs_total . '</a>'; } - summary_helper_print_row( $t_user, $t_bugs_open, $t_bugs_resolved, $t_bugs_closed, $t_bugs_total ); + summary_helper_print_row( $t_user, $t_bugs_open, $t_bugs_resolved, $t_bugs_closed, $t_bugs_total, false ); } } -- 1.7.7.1.msysgit.0 | ||||
Reminder sent to: dhx, rombert Please have a look at the attached patch. |
|
Confirmed, this is another XSS I introduced :| Overall the fix looks good to me since usernames are not allowed to have special characters therefore there is no XSS risk in allowing special chars in there. Of course, being the guilty party I'll let others judge if this is enough/a proper fix. |
|
I see no problem, even if usernames do contain special chars function summary_helper_get_developer_label does the sanitizing job if summary_helper_print_row is called with $p_sanitize_label = false
I don't like my fix that much as this is not a good readable/maintainable code. I don't have enough time at the moment to provide a better patch with cleaner code. It's your decision to commit it as it is or to take some time for a small rewrite. |
|
Thanks Roland. I've applied a patch that doesn't introduce any new parameters to the summary_helper_print_row function (it'd be messy to do so). master branch is unaffected by this issue as it already had correct escaping of all data being fed into the summary_helper_print_row function. Both branches should now be in line w.r.t. escaping input into summary_helper_print_row. |
|
This was assigned the CVE identifier CVE-2013-1810 on the oss-security mailing list on March 3rd, 2013. |
|
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|
MantisBT: master-1.2.x 7df30a9e 2013-01-18 17:49 Details Diff |
Fix 0015384: summary.php XSS vulnerability in MantisBT 1.2.12 only Roland Becker (MantisBT Developer) discovered a XSS vulnerability introduced in MantisBT 1.2.12 with the display of category/project names on the summary.php page. A malicious MantisBT user holding privileged manager/administrator permissions could create a category or project name that contains JavaScript code. Any user visiting summary.php from that point on may then be exposed to having the malicious JavaScript execute within their browser environment. The severity of this issue is limited by the need to hold privileged manager/administrator permissions in order to modify category and project names. However -- there are many use cases where MantisBT installations can have hundreds of sub-projects, each managed by different people/parties that can not or should not be fully trusted. Refer to previous commits 3ca8a164 and 6ec3f693 to trace back the origin of this vulnerability. |
Affected Issues 0015384 |
|
mod - core/summary_api.php | Diff File |