MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0015384mantisbtsecuritypublic2013-01-18 15:242014-09-23 18:05
Reporteratrol 
Assigned Todhx 
PriorityurgentSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.12 
Target Version1.2.13Fixed in Version1.2.13 
Summary0015384: CVE-2013-1810 XSS vulnerability on summary page
DescriptionScript is executed when viewing summary page and having a category with scripting code

This has been introduced by a commit to resolve 0014677

I will attach a patch.
Please have a look at it and feel free to enhance and to commit it.
Steps To Reproduce1. Create a category <script>alert ("XSS")</script>
2. View "Summary" page
TagsNo tags attached.
Attached Filespatch file icon fix15384.patch [^] (1,858 bytes) 2013-01-18 15:26 [Show Content]

- Relationships
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 

-  Notes
User avatar (0034817)
atrol (developer)
2013-01-18 15:28

Reminder sent to: dhx, rombert

Please have a look at the attached patch.
User avatar (0034819)
rombert (developer)
2013-01-18 15:38

Confirmed, this is another XSS I introduced :|

Overall the fix looks good to me since usernames are not allowed to have special characters therefore there is no XSS risk in allowing special chars in there. Of course, being the guilty party I'll let others judge if this is enough/a proper fix.
User avatar (0034820)
atrol (developer)
2013-01-18 15:56

I see no problem, even if usernames do contain special chars

function summary_helper_get_developer_label does the sanitizing job if summary_helper_print_row is called with $p_sanitize_label = false

> $t_user = string_display_line( user_get_name( $p_user_id ) );

I don't like my fix that much as this is not a good readable/maintainable code.
At least it does the job to fix the XSS issue without loosing the new functionality that you introduced.

I don't have enough time at the moment to provide a better patch with cleaner code.

It's your decision to commit it as it is or to take some time for a small rewrite.
User avatar (0034821)
dhx (developer)
2013-01-18 18:05

Thanks Roland. I've applied a patch that doesn't introduce any new parameters to the summary_helper_print_row function (it'd be messy to do so).

master branch is unaffected by this issue as it already had correct escaping of all data being fed into the summary_helper_print_row function.

Both branches should now be in line w.r.t. escaping input into summary_helper_print_row.
User avatar (0035362)
dhx (developer)
2013-03-03 00:41

This was assigned the CVE identifier CVE-2013-1810 on the oss-security mailing list on March 3rd, 2013.
User avatar (0036085)
grangeway (reporter)
2013-04-05 17:56

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

- Related Changesets
MantisBT: master-1.2.x 7df30a9e
Timestamp: 2013-01-18 22:49:13
Author: dhx
Details ] Diff ]
Fix 0015384: summary.php XSS vulnerability in MantisBT 1.2.12 only

Roland Becker (MantisBT Developer) discovered a XSS vulnerability
introduced in MantisBT 1.2.12 with the display of category/project names
on the summary.php page.

A malicious MantisBT user holding privileged manager/administrator
permissions could create a category or project name that contains
JavaScript code. Any user visiting summary.php from that point on may
then be exposed to having the malicious JavaScript execute within their
browser environment.

The severity of this issue is limited by the need to hold privileged
manager/administrator permissions in order to modify category and
project names. However -- there are many use cases where MantisBT
installations can have hundreds of sub-projects, each managed by
different people/parties that can not or should not be fully trusted.

Refer to previous commits 3ca8a164 and 6ec3f693 to trace back the origin
of this vulnerability.
mod - core/summary_api.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2013-01-18 15:24 atrol New Issue
2013-01-18 15:26 atrol File Added: fix15384.patch
2013-01-18 15:28 atrol Note Added: 0034817
2013-01-18 15:38 rombert Note Added: 0034819
2013-01-18 15:38 rombert Status new => confirmed
2013-01-18 15:38 rombert Description Updated View Revisions
2013-01-18 15:38 rombert Steps to Reproduce Updated View Revisions
2013-01-18 15:56 atrol Note Added: 0034820
2013-01-18 16:41 rombert Priority normal => urgent
2013-01-18 18:05 dhx Note Added: 0034821
2013-01-18 18:05 dhx Assigned To => dhx
2013-01-18 18:05 dhx Severity minor => major
2013-01-18 18:05 dhx Status confirmed => resolved
2013-01-18 18:05 dhx Resolution open => fixed
2013-01-18 18:05 dhx Fixed in Version => 1.2.13
2013-01-18 18:05 dhx Description Updated View Revisions
2013-01-18 18:05 dhx Steps to Reproduce Updated View Revisions
2013-01-18 18:05 dhx View Status private => public
2013-01-18 18:06 dhx Changeset attached => MantisBT master-1.2.x 7df30a9e
2013-01-20 06:30 dregad Relationship added related to 0015388
2013-01-21 04:03 dregad Relationship deleted related to 0015388
2013-01-22 09:47 dregad Status resolved => closed
2013-03-03 00:41 dhx Note Added: 0035362
2013-03-04 11:16 dregad Summary XSS vulnerability on summary page => CVE-2013-1810 XSS vulnerability on summary page
2013-04-05 17:56 grangeway Status closed => acknowledged
2013-04-05 17:56 grangeway Note Added: 0036085
2013-04-05 19:40 grangeway Relationship added related to 0015721
2013-04-06 03:39 dregad Status acknowledged => resolved
2013-04-06 07:20 grangeway Status resolved => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.1265 seconds.
memory usage: 3,093 KB
Powered by Mantis Bugtracker