View Issue Details

IDProjectCategoryView StatusLast Update
0015415mantisbtsecuritypublic2014-12-22 08:22
Reporteratrol 
Assigned Todregad 
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.13 
Target Version1.2.14Fixed in Version1.2.14 
Summary0015415: CVE-2013-1932: XSS vulnerability on Configuration Report page
Description

The following commit introduces XSS vulnerability on Configuration Report page
https://github.com/mantisbt/mantisbt/commit/e539dd68df6b5efa79869ba8f6a0427fb5aa7835

Steps To Reproduce
  1. Create a project <script>alert ("XSS")</script>
  2. Goto page Manage > Manage Configuration > Configuration report
TagsNo tags attached.

Relationships

related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 
related to 0015416 closeddregad CVE-2013-1934: XSS issue in adm_config_report.php when displaying complex value 

Activities

atrol

atrol

2013-01-23 06:53

developer  

fix15415.patch (737 bytes)
From 4a4acc57418ccc1259c8a177171787dcd36af8f8 Mon Sep 17 00:00:00 2001
From: Roland Becker <roland@atrol.de>
Date: Wed, 23 Jan 2013 12:45:18 +0100
Subject: [PATCH] Fix #15415 XSS vulnerability on Configuration Report page

---
 adm_config_report.php |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/adm_config_report.php b/adm_config_report.php
index 78b0a14..f5a512e 100644
--- a/adm_config_report.php
+++ b/adm_config_report.php
@@ -97,7 +97,7 @@
 		foreach( $p_array as $t_key => $t_value ) {
 			echo "<option value='$t_key'";
 			check_selected( $p_filter_value, $t_key );
-			echo ">$t_value</option>\n";
+			echo '>' . string_display_line( $t_value ) . '</option>' . "\n";
 		}
 	}
 
-- 
1.7.4.msysgit.0

fix15415.patch (737 bytes)
atrol

atrol

2013-01-23 06:54

developer   ~0034872

Reminder sent to: dhx, dregad

Please have a look at the attached patch.

Not sure: Should string_display_line be used (I did in patch) or string_attribute (for example used in function function print_project_option_list)

dregad

dregad

2013-01-23 07:18

developer   ~0034873

Thanks atrol. It's a bit embarrassing that I missed that one, especially after the 3 other similar issues discovered over the past few days :o

I believe that string_attribute() is more appropriate in the context of printing option lists, as string_display_line() triggers an event for text formatting (i.e. MantisCoreFormatting plugin).

Will push the fix shortly.

dregad

dregad

2013-01-23 07:30

developer   ~0034874

And while testing, I found yet another one (existing at least since 1.2.0rc1): 0015416

dhx

dhx

2013-01-23 07:30

reporter   ~0034875

It should be:

echo '<option value="' . string_attribute( $t_key ) . '"';
check_selected( $p_filter_value, $t_key );
echo '>' . string_attribute( $t_value ) . "</option>\n";

string_display_line will still allow 'safe' HTML tags to be rendered -- something you don't want inside an <option> drop down list. It would also be safer to sanitise the key/name of the configuration option just in case.

dhx

dhx

2013-01-23 07:30

reporter   ~0034876

Beat me to it!

dregad

dregad

2013-01-23 07:49

developer   ~0034878

not fast enough, young grasshopper ;)

dregad

dregad

2013-01-23 07:54

developer   ~0034881

and in response to

It would also be safer to sanitise the key/name of the configuration option just in case.

Correct me if I'm wrong, but that does not seem necessary to me, due to the way the arrays are built:

  • username: key = user id, by definition an int
  • project: same as above
  • config: name must be a valid php identifier, and exist in config_default_inc.php. Any other value must have been entered directly in the DB via SQL; if that's the case we have either an already severely compromised system -- or a very stupid administrator ;-)
grangeway

grangeway

2013-04-05 17:56

reporter   ~0036073

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

dregad

dregad

2013-04-08 05:44

developer   ~0036539

CVE assigned on 06-Apr-2013 [1]

[1] http://article.gmane.org/gmane.comp.security.oss.general/9878

Related Changesets

MantisBT: master 0c81929d

2013-01-18 15:53:13

dregad

Details Diff
Manage config page: added filtering

Porting the following 1.2.x commits
- f8a81a33880752364ea47bdd9a987bff986c81de
- 259f95cdb5a1561f9401b8c05f1aeddf8f016c81
- 3f75f68b08b0c52d5b3b488034f99214977a5dab
- 9f724904ec087cc1d07704cc387455f4c3c45068
- efdd6a7538ae2366b1dadb52e85fc5d95ae80c1c
- 9dbfcd7dd612137c8f75ba644d921c43f1d0a9f9
- beea901ca69692b989ec19461c6609571b5da5a2
- 65696fbffa0c1a197ce7441483abe78bd0b813e1
- b6f03b73e9134d1001e77445e109de733562cb8a
- 8b426cfc6c6ea7149beeafb352fa390dbf8c4624
- d76a21067e56aba847b650d17ad4e679392c7475
- c61dc631b4c37547a25e1306ed90aa09e9e1b837

Issue 0014559, 0015415
mod - adm_config_report.php Diff File
mod - config_defaults_inc.php Diff File
mod - core/helper_api.php Diff File
mod - core/obsolete.php Diff File
mod - css/default.css Diff File
mod - docbook/Admin_Guide/en-US/Configuration.xml Diff File
mod - lang/strings_english.txt Diff File
mod - manage_user_page.php Diff File

MantisBT: master-1.2.x c61dc631

2013-01-23 12:28:39

dregad

Details Diff
Fix 0015415: XSS vulnerability on Configuration Report page

A project name containing javascript code results in execution of said
code when displaying the filter's project list.

Note that despite using the same function to display the option list,
the vulnerability does not exist for usernames (due to input
restrictions in place when creating/updating user accounts) or config
names (which must exist in config_default_inc.php and must be valid php
identifiers).
mod - adm_config_report.php Diff File

Issue History

Date Modified Username Field Change
2013-01-23 06:51 atrol New Issue
2013-01-23 06:53 atrol File Added: fix15415.patch
2013-01-23 06:54 atrol Note Added: 0034872
2013-01-23 07:03 dregad Assigned To => dregad
2013-01-23 07:03 dregad Status new => assigned
2013-01-23 07:18 dregad Note Added: 0034873
2013-01-23 07:29 dregad Relationship added related to 0015416
2013-01-23 07:30 dregad Note Added: 0034874
2013-01-23 07:30 dhx Note Added: 0034875
2013-01-23 07:30 dhx Note Added: 0034876
2013-01-23 07:41 dregad Changeset attached => MantisBT master-1.2.x c61dc631
2013-01-23 07:41 dregad Status assigned => resolved
2013-01-23 07:41 dregad Resolution open => fixed
2013-01-23 07:41 dregad Fixed in Version => 1.2.14
2013-01-23 07:49 dregad Note Added: 0034878
2013-01-23 07:49 dregad View Status private => public
2013-01-23 07:54 dregad Note Added: 0034881
2013-01-29 09:25 dregad Status resolved => closed
2013-03-08 11:05 dregad Changeset attached => MantisBT master 0c81929d
2013-03-13 06:17 jayavel Issue cloned: 0015623
2013-04-05 17:56 grangeway Status closed => acknowledged
2013-04-05 17:56 grangeway Note Added: 0036073
2013-04-05 19:47 grangeway Relationship added related to 0015721
2013-04-06 03:38 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2013-04-08 05:44 dregad Note Added: 0036539
2013-04-08 05:44 dregad Summary XSS vulnerability on Configuration Report page => CVE-2013-1932: XSS vulnerability on Configuration Report page
2014-02-07 03:57 dregad Relationship added related to 0013298
2014-02-07 03:59 dregad Relationship deleted related to 0013298
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check