View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0015415 | mantisbt | security | public | 2013-01-23 06:51 | 2014-12-22 08:22 |
Reporter | atrol | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.13 | ||||
Target Version | 1.2.14 | Fixed in Version | 1.2.14 | ||
Summary | 0015415: CVE-2013-1932: XSS vulnerability on Configuration Report page | ||||
Description | The following commit introduces XSS vulnerability on Configuration Report page | ||||
Steps To Reproduce |
| ||||
Tags | No tags attached. | ||||
Attached Files | fix15415.patch (737 bytes)
From 4a4acc57418ccc1259c8a177171787dcd36af8f8 Mon Sep 17 00:00:00 2001 From: Roland Becker <roland@atrol.de> Date: Wed, 23 Jan 2013 12:45:18 +0100 Subject: [PATCH] Fix #15415 XSS vulnerability on Configuration Report page --- adm_config_report.php | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/adm_config_report.php b/adm_config_report.php index 78b0a14..f5a512e 100644 --- a/adm_config_report.php +++ b/adm_config_report.php @@ -97,7 +97,7 @@ foreach( $p_array as $t_key => $t_value ) { echo "<option value='$t_key'"; check_selected( $p_filter_value, $t_key ); - echo ">$t_value</option>\n"; + echo '>' . string_display_line( $t_value ) . '</option>' . "\n"; } } -- 1.7.4.msysgit.0 | ||||
Reminder sent to: dhx, dregad Please have a look at the attached patch. Not sure: Should string_display_line be used (I did in patch) or string_attribute (for example used in function function print_project_option_list) |
|
Thanks atrol. It's a bit embarrassing that I missed that one, especially after the 3 other similar issues discovered over the past few days :o I believe that string_attribute() is more appropriate in the context of printing option lists, as string_display_line() triggers an event for text formatting (i.e. MantisCoreFormatting plugin). Will push the fix shortly. |
|
And while testing, I found yet another one (existing at least since 1.2.0rc1): 0015416 |
|
It should be: echo '<option value="' . string_attribute( $t_key ) . '"'; string_display_line will still allow 'safe' HTML tags to be rendered -- something you don't want inside an <option> drop down list. It would also be safer to sanitise the key/name of the configuration option just in case. |
|
Beat me to it! |
|
not fast enough, young grasshopper ;) |
|
and in response to
Correct me if I'm wrong, but that does not seem necessary to me, due to the way the arrays are built:
|
|
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|
CVE assigned on 06-Apr-2013 [1] [1] http://article.gmane.org/gmane.comp.security.oss.general/9878 |
|
MantisBT: master 0c81929d 2013-01-18 10:53 Details Diff |
Manage config page: added filtering Porting the following 1.2.x commits - f8a81a33880752364ea47bdd9a987bff986c81de - 259f95cdb5a1561f9401b8c05f1aeddf8f016c81 - 3f75f68b08b0c52d5b3b488034f99214977a5dab - 9f724904ec087cc1d07704cc387455f4c3c45068 - efdd6a7538ae2366b1dadb52e85fc5d95ae80c1c - 9dbfcd7dd612137c8f75ba644d921c43f1d0a9f9 - beea901ca69692b989ec19461c6609571b5da5a2 - 65696fbffa0c1a197ce7441483abe78bd0b813e1 - b6f03b73e9134d1001e77445e109de733562cb8a - 8b426cfc6c6ea7149beeafb352fa390dbf8c4624 - d76a21067e56aba847b650d17ad4e679392c7475 - c61dc631b4c37547a25e1306ed90aa09e9e1b837 Issue 0014559, 0015415 |
Affected Issues 0014559, 0015415 |
|
mod - adm_config_report.php | Diff File | ||
mod - config_defaults_inc.php | Diff File | ||
mod - core/helper_api.php | Diff File | ||
mod - core/obsolete.php | Diff File | ||
mod - css/default.css | Diff File | ||
mod - docbook/Admin_Guide/en-US/Configuration.xml | Diff File | ||
mod - lang/strings_english.txt | Diff File | ||
mod - manage_user_page.php | Diff File | ||
MantisBT: master-1.2.x c61dc631 2013-01-23 07:28 Details Diff |
Fix 0015415: XSS vulnerability on Configuration Report page A project name containing javascript code results in execution of said code when displaying the filter's project list. Note that despite using the same function to display the option list, the vulnerability does not exist for usernames (due to input restrictions in place when creating/updating user accounts) or config names (which must exist in config_default_inc.php and must be valid php identifiers). |
Affected Issues 0015415 |
|
mod - adm_config_report.php | Diff File |