MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0015416mantisbtsecuritypublic2013-01-23 07:292014-09-23 18:05
Reporterdregad 
Assigned Todregad 
PriorityhighSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.0rc1 
Target Version1.2.14Fixed in Version1.2.14 
Summary0015416: CVE-2013-1934: XSS issue in adm_config_report.php when displaying complex value
DescriptionLack of proper string escaping allows users (having admin access) to enter arbitrary javascript code and have it executed on the user's browser.

This vulnerability exists since 1.2.0rc1 (possibly before), but is mitigated by the fact that normally only administrators have access to this page, and so would hopefully know what they are doing when entering values in the system.
Steps To Reproduce- go to adm_config_report.php page
- Add a 'complex' config option like this:
array('test <script>alert ("XSS")</script>')

TagsNo tags attached.
Attached Files

- Relationships
related to 0015415closeddregad CVE-2013-1932: XSS vulnerability on Configuration Report page 
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 

-  Notes
User avatar (0034877)
dregad (developer)
2013-01-23 07:44

master will be patched later when porting of manage-config branch is completed.
User avatar (0036072)
grangeway (reporter)
2013-04-05 17:56

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch
User avatar (0036555)
dregad (developer)
2013-04-09 09:19

CVE assigned on 09-Apr-2013 [1]

[1] http://article.gmane.org/gmane.comp.security.oss.general/9901 [^]

- Related Changesets
MantisBT: master-1.2.x 5858a659
Timestamp: 2013-01-23 12:37:56
Author: dregad
Details ] Diff ]
Fix 0015416: XSS issue in adm_config_report.php

If a 'complex' config option contains javascript code, it would be
executed when displaying the page.
mod - adm_config_report.php Diff ] File ]
MantisBT: master 57f57409
Timestamp: 2013-03-08 16:01:17
Author: dregad
Details ] Diff ]
Make it possible to edit config options in adm_config_report.php

Use CONFIG_TYPE_xxx constants instead of magic strings to define the
type of config value to process.

Added code for FLOAT type which was previously handled through COMPLEX.

Improve handling of INT (and FLOAT) by calling constant_replace(),
allowing user to specify a defined constant instead of a numeric value.

The 'Username', 'Project Name' and 'Configuration Option' fields in the
'Set Configuration Option' form are preset to the corresponding value
from the filter or defaulting to ALL_USERS, ALL_PROJECTS and blank
respectively if the filter is not defined or set to '[any]'. This allows
easier definition of related config, e.g. for a given project or user.

Port of 1.2.x commits
- 8890b218892d56947e6ffe300d0186b1450d0481
- 8b426cfc6c6ea7149beeafb352fa390dbf8c4624
- 5858a659efe12743b4360da11e9320c7f6ac6e82

Fixes 0007586, 0015416
mod - adm_config_report.php Diff ] File ]
mod - adm_config_set.php Diff ] File ]
mod - core/constant_inc.php Diff ] File ]
mod - core/print_api.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2013-01-23 07:29 dregad New Issue
2013-01-23 07:29 dregad Status new => assigned
2013-01-23 07:29 dregad Assigned To => dregad
2013-01-23 07:29 dregad Relationship added related to 0015415
2013-01-23 07:30 dregad View Status public => private
2013-01-23 07:40 dregad Description Updated View Revisions
2013-01-23 07:41 dregad Changeset attached => MantisBT master-1.2.x 5858a659
2013-01-23 07:41 dregad Status assigned => resolved
2013-01-23 07:41 dregad Resolution open => fixed
2013-01-23 07:41 dregad Fixed in Version => 1.2.14
2013-01-23 07:44 dregad Note Added: 0034877
2013-01-23 07:44 dregad View Status private => public
2013-01-29 09:25 dregad Status resolved => closed
2013-03-08 11:05 dregad Changeset attached => MantisBT master 57f57409
2013-03-13 06:17 jayavel Issue cloned: 0015622
2013-04-05 17:56 grangeway Status closed => acknowledged
2013-04-05 17:56 grangeway Note Added: 0036072
2013-04-05 19:47 grangeway Relationship added related to 0015721
2013-04-06 03:38 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2013-04-09 09:19 dregad Note Added: 0036555
2013-04-09 09:19 dregad Summary XSS issue in adm_config_report.php when displaying complex value => CVE-2013-1934: XSS issue in adm_config_report.php when displaying complex value
2014-02-07 03:57 dregad Relationship added related to 0013298
2014-02-07 03:59 dregad Relationship deleted related to 0013298
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.1033 seconds.
memory usage: 3,079 KB
Powered by Mantis Bugtracker