2014-11-26 19:01 EST

View Issue Details Jump to Notes ] Wiki ] Related Changesets ]
IDProjectCategoryView StatusLast Update
0015415mantisbtsecuritypublic2014-09-23 18:05
Reporteratrol 
Assigned Todregad 
PriorityhighSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
Product Version1.2.13 
Target Version1.2.14Fixed in Version1.2.14 
Summary0015415: CVE-2013-1932: XSS vulnerability on Configuration Report page
DescriptionThe following commit introduces XSS vulnerability on Configuration Report page
https://github.com/mantisbt/mantisbt/commit/e539dd68df6b5efa79869ba8f6a0427fb5aa7835 [^]
Steps To Reproduce1. Create a project <script>alert ("XSS")</script>
2. Goto page Manage > Manage Configuration > Configuration report
TagsNo tags attached.
Attached Files
  • patch file icon fix15415.patch (737 bytes) 2013-01-23 06:53 - 
    From 4a4acc57418ccc1259c8a177171787dcd36af8f8 Mon Sep 17 00:00:00 2001
    From: Roland Becker <roland@atrol.de>
    Date: Wed, 23 Jan 2013 12:45:18 +0100
    Subject: [PATCH] Fix #15415 XSS vulnerability on Configuration Report page
    
    ---
     adm_config_report.php |    2 +-
     1 files changed, 1 insertions(+), 1 deletions(-)
    
    diff --git a/adm_config_report.php b/adm_config_report.php
    index 78b0a14..f5a512e 100644
    --- a/adm_config_report.php
    +++ b/adm_config_report.php
    @@ -97,7 +97,7 @@
     		foreach( $p_array as $t_key => $t_value ) {
     			echo "<option value='$t_key'";
     			check_selected( $p_filter_value, $t_key );
    -			echo ">$t_value</option>\n";
    +			echo '>' . string_display_line( $t_value ) . '</option>' . "\n";
     		}
     	}
     
    -- 
    1.7.4.msysgit.0
    
    
    patch file icon fix15415.patch (737 bytes) 2013-01-23 06:53 + 

- Relationships
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 
related to 0015416closeddregad CVE-2013-1934: XSS issue in adm_config_report.php when displaying complex value 
+ Relationships

-  Notes
User avatar

~0034872

atrol (developer)

Reminder sent to: dhx, dregad

Please have a look at the attached patch.

Not sure: Should string_display_line be used (I did in patch) or string_attribute (for example used in function function print_project_option_list)
User avatar

~0034873

dregad (developer)

Thanks atrol. It's a bit embarrassing that I missed that one, especially after the 3 other similar issues discovered over the past few days :o

I believe that string_attribute() is more appropriate in the context of printing option lists, as string_display_line() triggers an event for text formatting (i.e. MantisCoreFormatting plugin).

Will push the fix shortly.
User avatar

~0034874

dregad (developer)

And while testing, I found yet another one (existing at least since 1.2.0rc1): 0015416
User avatar

~0034875

dhx (reporter)

It should be:

echo '<option value="' . string_attribute( $t_key ) . '"';
check_selected( $p_filter_value, $t_key );
echo '>' . string_attribute( $t_value ) . "</option>\n";

string_display_line will still allow 'safe' HTML tags to be rendered -- something you don't want inside an <option> drop down list. It would also be safer to sanitise the key/name of the configuration option just in case.
User avatar

~0034876

dhx (reporter)

Beat me to it!
User avatar

~0034878

dregad (developer)

not fast enough, young grasshopper ;)
User avatar

~0034881

dregad (developer)

and in response to

> It would also be safer to sanitise the key/name of the configuration option just in case.

Correct me if I'm wrong, but that does not seem necessary to me, due to the way the arrays are built:

- username: key = user id, by definition an int
- project: same as above
- config: name must be a valid php identifier, and exist in config_default_inc.php. Any other value must have been entered directly in the DB via SQL; if that's the case we have either an already severely compromised system -- or a very stupid administrator ;-)
User avatar

~0036073

grangeway (reporter)

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch
User avatar

~0036539

dregad (developer)

CVE assigned on 06-Apr-2013 [1]

[1] http://article.gmane.org/gmane.comp.security.oss.general/9878 [^]
+  Notes

- Related Changesets
MantisBT: master 0c81929d
Timestamp: 2013-01-18 15:53:13
Author: dregad
Details ] Diff ]
Manage config page: added filtering

Porting the following 1.2.x commits
- f8a81a33880752364ea47bdd9a987bff986c81de
- 259f95cdb5a1561f9401b8c05f1aeddf8f016c81
- 3f75f68b08b0c52d5b3b488034f99214977a5dab
- 9f724904ec087cc1d07704cc387455f4c3c45068
- efdd6a7538ae2366b1dadb52e85fc5d95ae80c1c
- 9dbfcd7dd612137c8f75ba644d921c43f1d0a9f9
- beea901ca69692b989ec19461c6609571b5da5a2
- 65696fbffa0c1a197ce7441483abe78bd0b813e1
- b6f03b73e9134d1001e77445e109de733562cb8a
- 8b426cfc6c6ea7149beeafb352fa390dbf8c4624
- d76a21067e56aba847b650d17ad4e679392c7475
- c61dc631b4c37547a25e1306ed90aa09e9e1b837

Issue 0014559, 0015415
mod - adm_config_report.php Diff ] File ]
mod - config_defaults_inc.php Diff ] File ]
mod - core/helper_api.php Diff ] File ]
mod - core/obsolete.php Diff ] File ]
mod - css/default.css Diff ] File ]
mod - docbook/Admin_Guide/en-US/Configuration.xml Diff ] File ]
mod - lang/strings_english.txt Diff ] File ]
mod - manage_user_page.php Diff ] File ]
MantisBT: master-1.2.x c61dc631
Timestamp: 2013-01-23 12:28:39
Author: dregad
Details ] Diff ]
Fix 0015415: XSS vulnerability on Configuration Report page

A project name containing javascript code results in execution of said
code when displaying the filter's project list.

Note that despite using the same function to display the option list,
the vulnerability does not exist for usernames (due to input
restrictions in place when creating/updating user accounts) or config
names (which must exist in config_default_inc.php and must be valid php
identifiers).
mod - adm_config_report.php Diff ] File ]

+ Related Changesets

- Issue History
Date Modified Username Field Change
2013-01-23 06:51 atrol New Issue
2013-01-23 06:53 atrol File Added: fix15415.patch
2013-01-23 06:54 atrol Note Added: 0034872
2013-01-23 07:03 dregad Assigned To => dregad
2013-01-23 07:03 dregad Status new => assigned
2013-01-23 07:18 dregad Note Added: 0034873
2013-01-23 07:29 dregad Relationship added related to 0015416
2013-01-23 07:30 dregad Note Added: 0034874
2013-01-23 07:30 dhx Note Added: 0034875
2013-01-23 07:30 dhx Note Added: 0034876
2013-01-23 07:41 dregad Changeset attached => MantisBT master-1.2.x c61dc631
2013-01-23 07:41 dregad Status assigned => resolved
2013-01-23 07:41 dregad Resolution open => fixed
2013-01-23 07:41 dregad Fixed in Version => 1.2.14
2013-01-23 07:49 dregad Note Added: 0034878
2013-01-23 07:49 dregad View Status private => public
2013-01-23 07:54 dregad Note Added: 0034881
2013-01-29 09:25 dregad Status resolved => closed
2013-03-08 11:05 dregad Changeset attached => MantisBT master 0c81929d
2013-03-13 06:17 jayavel Issue cloned: 0015623
2013-04-05 17:56 grangeway Status closed => acknowledged
2013-04-05 17:56 grangeway Note Added: 0036073
2013-04-05 19:47 grangeway Relationship added related to 0015721
2013-04-06 03:38 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2013-04-08 05:44 dregad Note Added: 0036539
2013-04-08 05:44 dregad Summary XSS vulnerability on Configuration Report page => CVE-2013-1932: XSS vulnerability on Configuration Report page
2014-02-07 03:57 dregad Relationship added related to 0013298
2014-02-07 03:59 dregad Relationship deleted related to 0013298
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check
+ Issue History