|Anonymous | Login | Signup for a new account||2013-12-05 08:22 EST|
|Main | My View | View Issues | Change Log | Roadmap | Wiki | Repositories|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0015384||mantisbt||security||public||2013-01-18 15:24||2013-04-06 09:23|
|Target Version||1.2.13||Fixed in Version||1.2.13|
|Summary||0015384: CVE-2013-1810 XSS vulnerability on summary page|
|Description||Script is executed when viewing summary page and having a category with scripting code|
This has been introduced by a commit to resolve 0014677
I will attach a patch.
Please have a look at it and feel free to enhance and to commit it.
|Steps To Reproduce||1. Create a category <script>alert ("XSS")</script>|
2. View "Summary" page
|Attached Files||fix15384.patch [^] (1,858 bytes) 2013-01-18 15:26 [Show Content]|
Reminder sent to: dhx, rombert
Please have a look at the attached patch.
Confirmed, this is another XSS I introduced :|
Overall the fix looks good to me since usernames are not allowed to have special characters therefore there is no XSS risk in allowing special chars in there. Of course, being the guilty party I'll let others judge if this is enough/a proper fix.
I see no problem, even if usernames do contain special chars
function summary_helper_get_developer_label does the sanitizing job if summary_helper_print_row is called with $p_sanitize_label = false
> $t_user = string_display_line( user_get_name( $p_user_id ) );
I don't like my fix that much as this is not a good readable/maintainable code.
At least it does the job to fix the XSS issue without loosing the new functionality that you introduced.
I don't have enough time at the moment to provide a better patch with cleaner code.
It's your decision to commit it as it is or to take some time for a small rewrite.
Thanks Roland. I've applied a patch that doesn't introduce any new parameters to the summary_helper_print_row function (it'd be messy to do so).
master branch is unaffected by this issue as it already had correct escaping of all data being fed into the summary_helper_print_row function.
Both branches should now be in line w.r.t. escaping input into summary_helper_print_row.
|This was assigned the CVE identifier CVE-2013-1810 on the oss-security mailing list on March 3rd, 2013.|
|Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch|
MantisBT: master-1.2.x 7df30a9e
Timestamp: 2013-01-18 22:49:13
|Fix 0015384: summary.php XSS vulnerability in MantisBT 1.2.12 only
Roland Becker (MantisBT Developer) discovered a XSS vulnerability
introduced in MantisBT 1.2.12 with the display of category/project names
on the summary.php page.
A malicious MantisBT user holding privileged manager/administrator
permissions could create a category or project name that contains
The severity of this issue is limited by the need to hold privileged
manager/administrator permissions in order to modify category and
project names. However -- there are many use cases where MantisBT
installations can have hundreds of sub-projects, each managed by
different people/parties that can not or should not be fully trusted.
Refer to previous commits 3ca8a164 and 6ec3f693 to trace back the origin
of this vulnerability.
|mod - core/summary_api.php|
|2013-01-18 15:24||atrol||New Issue|
|2013-01-18 15:26||atrol||File Added: fix15384.patch|
|2013-01-18 15:28||atrol||Note Added: 0034817|
|2013-01-18 15:38||rombert||Note Added: 0034819|
|2013-01-18 15:38||rombert||Status||new => confirmed|
|2013-01-18 15:38||rombert||Description Updated||View Revisions|
|2013-01-18 15:38||rombert||Steps to Reproduce Updated||View Revisions|
|2013-01-18 15:56||atrol||Note Added: 0034820|
|2013-01-18 16:41||rombert||Priority||normal => urgent|
|2013-01-18 18:05||dhx||Note Added: 0034821|
|2013-01-18 18:05||dhx||Assigned To||=> dhx|
|2013-01-18 18:05||dhx||Severity||minor => major|
|2013-01-18 18:05||dhx||Status||confirmed => resolved|
|2013-01-18 18:05||dhx||Resolution||open => fixed|
|2013-01-18 18:05||dhx||Fixed in Version||=> 1.2.13|
|2013-01-18 18:05||dhx||Description Updated||View Revisions|
|2013-01-18 18:05||dhx||Steps to Reproduce Updated||View Revisions|
|2013-01-18 18:05||dhx||View Status||private => public|
|2013-01-18 18:06||dhx||Changeset attached||=> MantisBT master-1.2.x 7df30a9e|
|2013-01-20 06:30||dregad||Relationship added||related to 0015388|
|2013-01-21 04:03||dregad||Relationship deleted||related to 0015388|
|2013-01-22 09:47||dregad||Status||resolved => closed|
|2013-03-03 00:41||dhx||Note Added: 0035362|
|2013-03-04 11:16||dregad||Summary||XSS vulnerability on summary page => CVE-2013-1810 XSS vulnerability on summary page|
|2013-04-05 17:56||grangeway||Status||closed => acknowledged|
|2013-04-05 17:56||grangeway||Note Added: 0036085|
|2013-04-05 19:40||grangeway||Relationship added||related to 0015721|
|2013-04-06 03:39||dregad||Status||acknowledged => resolved|
|2013-04-06 07:20||grangeway||Status||resolved => acknowledged|
|2013-04-06 09:22||dregad||Tag Attached: 2.0.x check|
|2013-04-06 09:23||dregad||Status||acknowledged => closed|
| MantisBT 1.2.16dev master-1.2.x-9aa19be [^]
Copyright © 2000 - 2013 MantisBT Team
Time: 0.1369 seconds.|
memory usage: 2,946 KB