View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0015415mantisbtsecuritypublic2013-01-23 06:512014-12-22 08:22
Reporteratrol Assigned Todregad  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.13 
Target Version1.2.14Fixed in Version1.2.14 
Summary0015415: CVE-2013-1932: XSS vulnerability on Configuration Report page
Description

The following commit introduces XSS vulnerability on Configuration Report page
https://github.com/mantisbt/mantisbt/commit/e539dd68df6b5efa79869ba8f6a0427fb5aa7835

Steps To Reproduce
  1. Create a project <script>alert ("XSS")</script>
  2. Goto page Manage > Manage Configuration > Configuration report
TagsNo tags attached.
Attached Files
fix15415.patch (737 bytes)    
From 4a4acc57418ccc1259c8a177171787dcd36af8f8 Mon Sep 17 00:00:00 2001
From: Roland Becker <roland@atrol.de>
Date: Wed, 23 Jan 2013 12:45:18 +0100
Subject: [PATCH] Fix #15415 XSS vulnerability on Configuration Report page

---
 adm_config_report.php |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/adm_config_report.php b/adm_config_report.php
index 78b0a14..f5a512e 100644
--- a/adm_config_report.php
+++ b/adm_config_report.php
@@ -97,7 +97,7 @@
 		foreach( $p_array as $t_key => $t_value ) {
 			echo "<option value='$t_key'";
 			check_selected( $p_filter_value, $t_key );
-			echo ">$t_value</option>\n";
+			echo '>' . string_display_line( $t_value ) . '</option>' . "\n";
 		}
 	}
 
-- 
1.7.4.msysgit.0
fix15415.patch (737 bytes)   

Relationships

related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 
related to 0015416 closeddregad CVE-2013-1934: XSS issue in adm_config_report.php when displaying complex value 

Activities

atrol

atrol

2013-01-23 06:54

developer   ~0034872

Reminder sent to: dhx, dregad

Please have a look at the attached patch.

Not sure: Should string_display_line be used (I did in patch) or string_attribute (for example used in function function print_project_option_list)
dregad

dregad

2013-01-23 07:18

developer   ~0034873

Thanks atrol. It's a bit embarrassing that I missed that one, especially after the 3 other similar issues discovered over the past few days :o

I believe that string_attribute() is more appropriate in the context of printing option lists, as string_display_line() triggers an event for text formatting (i.e. MantisCoreFormatting plugin).

Will push the fix shortly.
dregad

dregad

2013-01-23 07:30

developer   ~0034874

And while testing, I found yet another one (existing at least since 1.2.0rc1): 0015416
dhx

dhx

2013-01-23 07:30

reporter   ~0034875

It should be:

echo '<option value="' . string_attribute( $t_key ) . '"';
check_selected( $p_filter_value, $t_key );
echo '>' . string_attribute( $t_value ) . "</option>\n";

string_display_line will still allow 'safe' HTML tags to be rendered -- something you don't want inside an <option> drop down list. It would also be safer to sanitise the key/name of the configuration option just in case.
dhx

dhx

2013-01-23 07:30

reporter   ~0034876

Beat me to it!
dregad

dregad

2013-01-23 07:49

developer   ~0034878

not fast enough, young grasshopper ;)
dregad

dregad

2013-01-23 07:54

developer   ~0034881

and in response to

It would also be safer to sanitise the key/name of the configuration option just in case.

Correct me if I'm wrong, but that does not seem necessary to me, due to the way the arrays are built:

  • username: key = user id, by definition an int
  • project: same as above
  • config: name must be a valid php identifier, and exist in config_default_inc.php. Any other value must have been entered directly in the DB via SQL; if that's the case we have either an already severely compromised system -- or a very stupid administrator ;-)
grangeway

grangeway

2013-04-05 17:56

reporter   ~0036073

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch
dregad

dregad

2013-04-08 05:44

developer   ~0036539

CVE assigned on 06-Apr-2013 [1]

[1] http://article.gmane.org/gmane.comp.security.oss.general/9878

Related Changesets

MantisBT: master 0c81929d

2013-01-18 10:53

dregad


Details Diff		 Manage config page: added filtering

Porting the following 1.2.x commits
- f8a81a33880752364ea47bdd9a987bff986c81de
- 259f95cdb5a1561f9401b8c05f1aeddf8f016c81
- 3f75f68b08b0c52d5b3b488034f99214977a5dab
- 9f724904ec087cc1d07704cc387455f4c3c45068
- efdd6a7538ae2366b1dadb52e85fc5d95ae80c1c
- 9dbfcd7dd612137c8f75ba644d921c43f1d0a9f9
- beea901ca69692b989ec19461c6609571b5da5a2
- 65696fbffa0c1a197ce7441483abe78bd0b813e1
- b6f03b73e9134d1001e77445e109de733562cb8a
- 8b426cfc6c6ea7149beeafb352fa390dbf8c4624
- d76a21067e56aba847b650d17ad4e679392c7475
- c61dc631b4c37547a25e1306ed90aa09e9e1b837

Issue 0014559, 0015415		 Affected Issues
0014559, 0015415
mod - adm_config_report.php Diff File
mod - config_defaults_inc.php Diff File
mod - core/helper_api.php Diff File
mod - core/obsolete.php Diff File
mod - css/default.css Diff File
mod - docbook/Admin_Guide/en-US/Configuration.xml Diff File
mod - lang/strings_english.txt Diff File
mod - manage_user_page.php Diff File

MantisBT: master-1.2.x c61dc631

2013-01-23 07:28

dregad


Details Diff		 Fix 0015415: XSS vulnerability on Configuration Report page

A project name containing javascript code results in execution of said
code when displaying the filter's project list.

Note that despite using the same function to display the option list,
the vulnerability does not exist for usernames (due to input
restrictions in place when creating/updating user accounts) or config
names (which must exist in config_default_inc.php and must be valid php
identifiers).		 Affected Issues
0015415
mod - adm_config_report.php Diff File