MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0015415mantisbtsecuritypublic2013-01-23 06:512014-09-23 18:05
Reporteratrol 
Assigned Todregad 
PriorityhighSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.13 
Target Version1.2.14Fixed in Version1.2.14 
Summary0015415: CVE-2013-1932: XSS vulnerability on Configuration Report page
DescriptionThe following commit introduces XSS vulnerability on Configuration Report page
https://github.com/mantisbt/mantisbt/commit/e539dd68df6b5efa79869ba8f6a0427fb5aa7835 [^]
Steps To Reproduce1. Create a project <script>alert ("XSS")</script>
2. Goto page Manage > Manage Configuration > Configuration report
TagsNo tags attached.
Attached Filespatch file icon fix15415.patch [^] (737 bytes) 2013-01-23 06:53 [Show Content]

- Relationships
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 
related to 0015416closeddregad CVE-2013-1934: XSS issue in adm_config_report.php when displaying complex value 

-  Notes
User avatar (0034872)
atrol (developer)
2013-01-23 06:54

Reminder sent to: dhx, dregad

Please have a look at the attached patch.

Not sure: Should string_display_line be used (I did in patch) or string_attribute (for example used in function function print_project_option_list)
User avatar (0034873)
dregad (developer)
2013-01-23 07:18

Thanks atrol. It's a bit embarrassing that I missed that one, especially after the 3 other similar issues discovered over the past few days :o

I believe that string_attribute() is more appropriate in the context of printing option lists, as string_display_line() triggers an event for text formatting (i.e. MantisCoreFormatting plugin).

Will push the fix shortly.
User avatar (0034874)
dregad (developer)
2013-01-23 07:30

And while testing, I found yet another one (existing at least since 1.2.0rc1): 0015416
User avatar (0034875)
dhx (reporter)
2013-01-23 07:30

It should be:

echo '<option value="' . string_attribute( $t_key ) . '"';
check_selected( $p_filter_value, $t_key );
echo '>' . string_attribute( $t_value ) . "</option>\n";

string_display_line will still allow 'safe' HTML tags to be rendered -- something you don't want inside an <option> drop down list. It would also be safer to sanitise the key/name of the configuration option just in case.
User avatar (0034876)
dhx (reporter)
2013-01-23 07:30

Beat me to it!
User avatar (0034878)
dregad (developer)
2013-01-23 07:49

not fast enough, young grasshopper ;)
User avatar (0034881)
dregad (developer)
2013-01-23 07:54

and in response to

> It would also be safer to sanitise the key/name of the configuration option just in case.

Correct me if I'm wrong, but that does not seem necessary to me, due to the way the arrays are built:

- username: key = user id, by definition an int
- project: same as above
- config: name must be a valid php identifier, and exist in config_default_inc.php. Any other value must have been entered directly in the DB via SQL; if that's the case we have either an already severely compromised system -- or a very stupid administrator ;-)
User avatar (0036073)
grangeway (reporter)
2013-04-05 17:56

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch
User avatar (0036539)
dregad (developer)
2013-04-08 05:44

CVE assigned on 06-Apr-2013 [1]

[1] http://article.gmane.org/gmane.comp.security.oss.general/9878 [^]

- Related Changesets
MantisBT: master 0c81929d
Timestamp: 2013-01-18 15:53:13
Author: dregad
Details ] Diff ]
Manage config page: added filtering

Porting the following 1.2.x commits
- f8a81a33880752364ea47bdd9a987bff986c81de
- 259f95cdb5a1561f9401b8c05f1aeddf8f016c81
- 3f75f68b08b0c52d5b3b488034f99214977a5dab
- 9f724904ec087cc1d07704cc387455f4c3c45068
- efdd6a7538ae2366b1dadb52e85fc5d95ae80c1c
- 9dbfcd7dd612137c8f75ba644d921c43f1d0a9f9
- beea901ca69692b989ec19461c6609571b5da5a2
- 65696fbffa0c1a197ce7441483abe78bd0b813e1
- b6f03b73e9134d1001e77445e109de733562cb8a
- 8b426cfc6c6ea7149beeafb352fa390dbf8c4624
- d76a21067e56aba847b650d17ad4e679392c7475
- c61dc631b4c37547a25e1306ed90aa09e9e1b837

Issue 0014559, 0015415
mod - adm_config_report.php Diff ] File ]
mod - config_defaults_inc.php Diff ] File ]
mod - core/helper_api.php Diff ] File ]
mod - core/obsolete.php Diff ] File ]
mod - css/default.css Diff ] File ]
mod - docbook/Admin_Guide/en-US/Configuration.xml Diff ] File ]
mod - lang/strings_english.txt Diff ] File ]
mod - manage_user_page.php Diff ] File ]
MantisBT: master-1.2.x c61dc631
Timestamp: 2013-01-23 12:28:39
Author: dregad
Details ] Diff ]
Fix 0015415: XSS vulnerability on Configuration Report page

A project name containing javascript code results in execution of said
code when displaying the filter's project list.

Note that despite using the same function to display the option list,
the vulnerability does not exist for usernames (due to input
restrictions in place when creating/updating user accounts) or config
names (which must exist in config_default_inc.php and must be valid php
identifiers).
mod - adm_config_report.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2013-01-23 06:51 atrol New Issue
2013-01-23 06:53 atrol File Added: fix15415.patch
2013-01-23 06:54 atrol Note Added: 0034872
2013-01-23 07:03 dregad Assigned To => dregad
2013-01-23 07:03 dregad Status new => assigned
2013-01-23 07:18 dregad Note Added: 0034873
2013-01-23 07:29 dregad Relationship added related to 0015416
2013-01-23 07:30 dregad Note Added: 0034874
2013-01-23 07:30 dhx Note Added: 0034875
2013-01-23 07:30 dhx Note Added: 0034876
2013-01-23 07:41 dregad Changeset attached => MantisBT master-1.2.x c61dc631
2013-01-23 07:41 dregad Status assigned => resolved
2013-01-23 07:41 dregad Resolution open => fixed
2013-01-23 07:41 dregad Fixed in Version => 1.2.14
2013-01-23 07:49 dregad Note Added: 0034878
2013-01-23 07:49 dregad View Status private => public
2013-01-23 07:54 dregad Note Added: 0034881
2013-01-29 09:25 dregad Status resolved => closed
2013-03-08 11:05 dregad Changeset attached => MantisBT master 0c81929d
2013-03-13 06:17 jayavel Issue cloned: 0015623
2013-04-05 17:56 grangeway Status closed => acknowledged
2013-04-05 17:56 grangeway Note Added: 0036073
2013-04-05 19:47 grangeway Relationship added related to 0015721
2013-04-06 03:38 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2013-04-08 05:44 dregad Note Added: 0036539
2013-04-08 05:44 dregad Summary XSS vulnerability on Configuration Report page => CVE-2013-1932: XSS vulnerability on Configuration Report page
2014-02-07 03:57 dregad Relationship added related to 0013298
2014-02-07 03:59 dregad Relationship deleted related to 0013298
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.0896 seconds.
memory usage: 3,119 KB
Powered by Mantis Bugtracker