View Issue Details

IDProjectCategoryView StatusLast Update
0015388mantisbtfilterspublic2014-09-23 18:05
Reporterrombert 
Assigned Todregad 
PrioritynormalSeveritytweakReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.12 
Target Version1.2.13Fixed in Version1.2.13 
Summary0015388: Update the match_type parameter to be XSS-safe by itself
Description

(Created from comment 0015373:0034815)

@rombert, the match_type parameter [1] was introduced as part of your commit
5b491868 (or filter logic).

Is there any particular reason for using gpc_get_string here ? Since the filter
type can only be a preset list of integer values as defined by constants
(FILTERMATCH*), I would say gpc_get_int would be more appropriate, no ?

Let me know your thoughts.

[1]
https://github.com/mantisbt/mantisbt/blame/master-1.2.x/view_all_set.php#L205

Following up on this comment, we should rework the code and make sure that it is still XSS-safe.

TagsNo tags attached.

Relationships

related to 0015373 closeddhx CVE-2013-0197 XSS vulnerability with match_type filter 
related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 

Activities

dregad

dregad

2013-01-20 07:02

developer   ~0034830

The problem with your earlier attempt to fix this, is that you forgot to change an occurence of gpc_get_string to gpc_get_int in search.php.

Ill commit a fix shortly; local tests OK on the XSS issue (0015373)

Now if you enter anything but a number (e.g. http://path/to/mantis/search.php?match_type=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E%22 ), you get APPLICATION ERROR 203 A number was expected for match_type.

See also follow up fix 0015389

dregad

dregad

2013-01-21 04:04

developer   ~0034839

Linked the wrong issue #...

grangeway

grangeway

2013-04-05 17:56

reporter   ~0036122

Marking as acknowledged not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master 4362aa14

2013-01-19 22:22:53

dregad

Details Diff
Update match_type parameter to be XSS-safe by itself

Use of gpc_get_int() instead of gpc_get_string() prevents malicious
users from passing arbitrary strings as parameter.

Fixes 0015388
mod - core/filter_api.php Diff File
mod - search.php Diff File
mod - view_all_set.php Diff File

MantisBT: master-1.2.x dbf923c3

2013-01-19 22:22:53

dregad

Details Diff
Update match_type parameter to be XSS-safe by itself

Use of gpc_get_int() instead of gpc_get_string() prevents malicious
users from passing arbitrary strings as parameter.

Fixes 0015388
mod - core/filter_api.php Diff File
mod - search.php Diff File
mod - view_all_set.php Diff File

Issue History

Date Modified Username Field Change
2013-01-19 09:44 rombert New Issue
2013-01-20 06:30 dregad Relationship added related to 0015384
2013-01-20 07:02 dregad Note Added: 0034830
2013-01-20 07:02 dregad Assigned To => dregad
2013-01-20 07:02 dregad Status confirmed => assigned
2013-01-20 07:05 dregad Changeset attached => MantisBT master 4362aa14
2013-01-20 07:05 dregad Status assigned => resolved
2013-01-20 07:05 dregad Resolution open => fixed
2013-01-20 07:05 dregad Fixed in Version => 1.3.0-beta.1
2013-01-20 07:06 dregad Changeset attached => MantisBT master-1.2.x dbf923c3
2013-01-20 07:09 dregad Product Version => 1.2.12
2013-01-20 07:09 dregad Fixed in Version 1.3.0-beta.1 => 1.2.13
2013-01-20 07:09 dregad Description Updated View Revisions
2013-01-21 04:03 dregad Relationship added related to 0015373
2013-01-21 04:03 dregad Relationship deleted related to 0015384
2013-01-21 04:04 dregad Note Added: 0034839
2013-01-22 09:47 dregad Status resolved => closed
2013-04-05 17:56 grangeway Status closed => acknowledged
2013-04-05 17:56 grangeway Note Added: 0036122
2013-04-05 19:31 grangeway Relationship added related to 0015721
2013-04-06 03:39 dregad Status acknowledged => resolved
2013-04-06 07:20 grangeway Status resolved => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check