View Issue Details

IDProjectCategoryView StatusLast Update
0015416mantisbtsecuritypublic2014-09-23 18:05
Reporterdregad 
Assigned Todregad 
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.0rc1 
Target Version1.2.14Fixed in Version1.2.14 
Summary0015416: CVE-2013-1934: XSS issue in adm_config_report.php when displaying complex value
Description

Lack of proper string escaping allows users (having admin access) to enter arbitrary javascript code and have it executed on the users browser.

This vulnerability exists since 1.2.0rc1 (possibly before), but is mitigated by the fact that normally only administrators have access to this page, and so would hopefully know what they are doing when entering values in the system.

Steps To Reproduce
  • go to adm_config_report.php page
  • Add a complex config option like this:

    array(test <script>alert (XSS)</script>)
TagsNo tags attached.

Relationships

related to 0015415 closeddregad CVE-2013-1932: XSS vulnerability on Configuration Report page 
related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 

Activities

dregad

dregad

2013-01-23 07:44

developer   ~0034877

master will be patched later when porting of manage-config branch is completed.

grangeway

grangeway

2013-04-05 17:56

reporter   ~0036072

Marking as acknowledged not resolved/closed to track that change gets ported to master-2.0.x branch

dregad

dregad

2013-04-09 09:19

developer   ~0036555

CVE assigned on 09-Apr-2013 [1]

[1] http://article.gmane.org/gmane.comp.security.oss.general/9901

Related Changesets

MantisBT: master-1.2.x 5858a659

2013-01-23 12:37:56

dregad

Details Diff
Fix 0015416: XSS issue in adm_config_report.php

If a 'complex' config option contains javascript code, it would be
executed when displaying the page.
mod - adm_config_report.php Diff File

MantisBT: master 57f57409

2013-03-08 16:01:17

dregad

Details Diff
Make it possible to edit config options in adm_config_report.php

Use CONFIG_TYPE_xxx constants instead of magic strings to define the
type of config value to process.

Added code for FLOAT type which was previously handled through COMPLEX.

Improve handling of INT (and FLOAT) by calling constant_replace(),
allowing user to specify a defined constant instead of a numeric value.

The 'Username', 'Project Name' and 'Configuration Option' fields in the
'Set Configuration Option' form are preset to the corresponding value
from the filter or defaulting to ALL_USERS, ALL_PROJECTS and blank
respectively if the filter is not defined or set to '[any]'. This allows
easier definition of related config, e.g. for a given project or user.

Port of 1.2.x commits
- 8890b218892d56947e6ffe300d0186b1450d0481
- 8b426cfc6c6ea7149beeafb352fa390dbf8c4624
- 5858a659efe12743b4360da11e9320c7f6ac6e82

Fixes 0007586, 0015416
mod - adm_config_report.php Diff File
mod - adm_config_set.php Diff File
mod - core/constant_inc.php Diff File
mod - core/print_api.php Diff File

Issue History

Date Modified Username Field Change
2013-01-23 07:29 dregad New Issue
2013-01-23 07:29 dregad Status new => assigned
2013-01-23 07:29 dregad Assigned To => dregad
2013-01-23 07:29 dregad Relationship added related to 0015415
2013-01-23 07:30 dregad View Status public => private
2013-01-23 07:40 dregad Description Updated View Revisions
2013-01-23 07:41 dregad Changeset attached => MantisBT master-1.2.x 5858a659
2013-01-23 07:41 dregad Status assigned => resolved
2013-01-23 07:41 dregad Resolution open => fixed
2013-01-23 07:41 dregad Fixed in Version => 1.2.14
2013-01-23 07:44 dregad Note Added: 0034877
2013-01-23 07:44 dregad View Status private => public
2013-01-29 09:25 dregad Status resolved => closed
2013-03-08 11:05 dregad Changeset attached => MantisBT master 57f57409
2013-03-13 06:17 jayavel Issue cloned: 0015622
2013-04-05 17:56 grangeway Status closed => acknowledged
2013-04-05 17:56 grangeway Note Added: 0036072
2013-04-05 19:47 grangeway Relationship added related to 0015721
2013-04-06 03:38 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2013-04-09 09:19 dregad Note Added: 0036555
2013-04-09 09:19 dregad Summary XSS issue in adm_config_report.php when displaying complex value => CVE-2013-1934: XSS issue in adm_config_report.php when displaying complex value
2014-02-07 03:57 dregad Relationship added related to 0013298
2014-02-07 03:59 dregad Relationship deleted related to 0013298
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check