MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0015388mantisbtfilterspublic2013-01-19 09:442013-04-06 09:23
Reporterrombert 
Assigned Todregad 
PrioritynormalSeveritytweakReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.12 
Target Version1.2.13Fixed in Version1.2.13 
Summary0015388: Update the match_type parameter to be XSS-safe by itself
Description(Created from comment 0015373:0034815)
> @rombert, the match_type parameter [1] was introduced as part of your commit
> 5b491868 (or filter logic).
>
> Is there any particular reason for using gpc_get_string here ? Since the filter
> type can only be a preset list of integer values as defined by constants
> (FILTER_MATCH_*), I would say gpc_get_int would be more appropriate, no ?
>
> Let me know your thoughts.
>
> [1]
> https://github.com/mantisbt/mantisbt/blame/master-1.2.x/view_all_set.php#L205 [^]

Following up on this comment, we should rework the code and make sure that it is still XSS-safe.
Tags2.0.x check
Attached Files

- Relationships
related to 0015373closeddhx CVE-2013-0197 XSS vulnerability with match_type filter 
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 

-  Notes
User avatar (0034830)
dregad (developer)
2013-01-20 07:02

The problem with your earlier attempt to fix this, is that you forgot to change an occurence of gpc_get_string to gpc_get_int in search.php.

I'll commit a fix shortly; local tests OK on the XSS issue (0015373)

Now if you enter anything but a number (e.g. http://path/to/mantis/search.php?match_type=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E%22 [^] ), you get APPLICATION ERROR 203 A number was expected for match_type.

See also follow up fix 0015389
User avatar (0034839)
dregad (developer)
2013-01-21 04:04

Linked the wrong issue #...
User avatar (0036122)
grangeway (developer)
2013-04-05 17:56

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

- Related Changesets
MantisBT: master 4362aa14
Timestamp: 2013-01-19 22:22:53
Author: dregad
Details ] Diff ]
Update match_type parameter to be XSS-safe by itself

Use of gpc_get_int() instead of gpc_get_string() prevents malicious
users from passing arbitrary strings as parameter.

Fixes 0015388
mod - core/filter_api.php Diff ] File ]
mod - search.php Diff ] File ]
mod - view_all_set.php Diff ] File ]
MantisBT: master-1.2.x dbf923c3
Timestamp: 2013-01-19 22:22:53
Author: dregad
Details ] Diff ]
Update match_type parameter to be XSS-safe by itself

Use of gpc_get_int() instead of gpc_get_string() prevents malicious
users from passing arbitrary strings as parameter.

Fixes 0015388
mod - core/filter_api.php Diff ] File ]
mod - search.php Diff ] File ]
mod - view_all_set.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2013-01-19 09:44 rombert New Issue
2013-01-20 06:30 dregad Relationship added related to 0015384
2013-01-20 07:02 dregad Note Added: 0034830
2013-01-20 07:02 dregad Assigned To => dregad
2013-01-20 07:02 dregad Status confirmed => assigned
2013-01-20 07:05 dregad Changeset attached => MantisBT master 4362aa14
2013-01-20 07:05 dregad Status assigned => resolved
2013-01-20 07:05 dregad Resolution open => fixed
2013-01-20 07:05 dregad Fixed in Version => 1.3.x
2013-01-20 07:06 dregad Changeset attached => MantisBT master-1.2.x dbf923c3
2013-01-20 07:09 dregad Product Version => 1.2.12
2013-01-20 07:09 dregad Fixed in Version 1.3.x => 1.2.13
2013-01-20 07:09 dregad Description Updated View Revisions
2013-01-21 04:03 dregad Relationship added related to 0015373
2013-01-21 04:03 dregad Relationship deleted related to 0015384
2013-01-21 04:04 dregad Note Added: 0034839
2013-01-22 09:47 dregad Status resolved => closed
2013-04-05 17:56 grangeway Status closed => acknowledged
2013-04-05 17:56 grangeway Note Added: 0036122
2013-04-05 19:31 grangeway Relationship added related to 0015721
2013-04-06 03:39 dregad Status acknowledged => resolved
2013-04-06 07:20 grangeway Status resolved => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.1095 seconds.
memory usage: 3,080 KB
Powered by Mantis Bugtracker