View Issue Details

IDProjectCategoryView StatusLast Update
0015388mantisbtfilterspublic2014-09-23 18:05
Reporterrombert Assigned Todregad  
PrioritynormalSeveritytweakReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.12 
Target Version1.2.13Fixed in Version1.2.13 
Summary0015388: Update the match_type parameter to be XSS-safe by itself
Description

(Created from comment 0015373:0034815)

@rombert, the match_type parameter [1] was introduced as part of your commit
5b491868 (or filter logic).

Is there any particular reason for using gpc_get_string here ? Since the filter
type can only be a preset list of integer values as defined by constants
(FILTERMATCH*), I would say gpc_get_int would be more appropriate, no ?

Let me know your thoughts.

[1]
https://github.com/mantisbt/mantisbt/blame/master-1.2.x/view_all_set.php#L205

Following up on this comment, we should rework the code and make sure that it is still XSS-safe.

TagsNo tags attached.

Relationships

related to 0015373 closeddhx CVE-2013-0197 XSS vulnerability with match_type filter 
related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 

Activities

dregad

dregad

2013-01-20 07:02

developer   ~0034830

The problem with your earlier attempt to fix this, is that you forgot to change an occurence of gpc_get_string to gpc_get_int in search.php.

I'll commit a fix shortly; local tests OK on the XSS issue (0015373)

Now if you enter anything but a number (e.g. http://path/to/mantis/search.php?match_type=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E%22 ), you get APPLICATION ERROR 203 A number was expected for match_type.

See also follow up fix 0015389

dregad

dregad

2013-01-21 04:04

developer   ~0034839

Linked the wrong issue #...

grangeway

grangeway

2013-04-05 17:56

reporter   ~0036122

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master 4362aa14

2013-01-19 17:22

dregad


Details Diff
Update match_type parameter to be XSS-safe by itself

Use of gpc_get_int() instead of gpc_get_string() prevents malicious
users from passing arbitrary strings as parameter.

Fixes 0015388
Affected Issues
0015388
mod - core/filter_api.php Diff File
mod - search.php Diff File
mod - view_all_set.php Diff File

MantisBT: master-1.2.x dbf923c3

2013-01-19 17:22

dregad


Details Diff
Update match_type parameter to be XSS-safe by itself

Use of gpc_get_int() instead of gpc_get_string() prevents malicious
users from passing arbitrary strings as parameter.

Fixes 0015388
Affected Issues
0015388
mod - core/filter_api.php Diff File
mod - search.php Diff File
mod - view_all_set.php Diff File