View Issue Details

IDProjectCategoryView StatusLast Update
0017870mantisbtsecuritypublic2015-11-03 08:47
Reporteralex91ar 
Assigned Todregad 
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.13 
Target Version1.2.18Fixed in Version1.2.18 
Summary0017870: CVE-2014-8987: XSS in adm_config_report.php
Description

Hello there,
Today I bring you another security issue that I found while testing mantis.
It seems that one of the parameters passed by get to the application, is not being sanitized before being reflected.

It should be easily fixed by escaping the double quotes and < >.

Let me know if you need any other information.
Best regards,
Alex.

Steps To Reproduce

This URL should be used in order to reproduce the issue:
/adm_config_report.php?config_option=%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E

TagsNo tags attached.

Relationships

Activities

dregad

dregad

2014-11-14 10:06

developer   ~0041837

Hi Alex,

Many thanks for the bug report. Ill investigate and let you know.
Did you reserve a CVE for this issue ?

alex91ar

alex91ar

2014-11-14 10:13

reporter   ~0041838

Hi there,
No, I havent reserved a CVE for this issue.
Im wondering, is this something I should be doing? How is it done?
I also reported the captcha bypass issue, and I dont have a CVE for that one either.
Im sorry Im very new to all this and I dont have a CVE yet.

Thanks for your assistance.
Best regards,
Alex.

dregad

dregad

2014-11-14 10:30

developer   ~0041839

Im only asking to avoid sending multiple requests for the same issue as it then becomes a source of confusion. So dont worry, Ill take care of it (in fact I prefer to do it myself so Im sure that all relevant information is provided right from the start, its easier than making changes afterwards).

If youre interested in learning more about this process, see http://cve.mitre.org including their FAQ.

dregad

dregad

2014-11-14 16:56

developer   ~0041840

Last edited: 2014-11-14 17:08

View 3 revisions

OK, I can reproduce this in 1.2.x.

Severity of issue is mitigated by the fact that attacker would need to be logged in with a high-privileged account (administrator by default) to access this page.

On 1.3.x, browsers supporting content security policy are not affected by this.

dregad

dregad

2014-11-14 17:20

developer   ~0041841

Last edited: 2014-11-14 17:34

View 2 revisions

Alex, Im preparing the CVE request; please let me know how you would like to be credited for this finding.

http://permalink.gmane.org/gmane.comp.security.oss.general/14706

alex91ar

alex91ar

2014-11-15 09:07

reporter   ~0041857

Hi there,
Although its true that its mitigated in browsers that support content security policy, be careful because these can be bypassed.
Plus the attacker would not need to be logged with a high-privileged account, since the vector of attack would be to make an administrator click on a link by social-engineering or other methods, that would be embedded with the malicious payload.

An attacker would just need to download a copy of the software, install it in order to generate a link with the payload embedded.

Regarding the CVE, I would like to be credited with my full name. (Alejo Popovici).

Thank you for everything, and Ill let you know if I find any other issues.
Let me tell you that you are by far the most responsive developer team that Ive ever contacted. I have outstanding security bug reports for a month that havent even been acknowledged yet.

Best regards,
Alex.

dregad

dregad

2014-11-20 02:52

developer   ~0041870

Thanks for the positive feedback Alex, its always nice to hear.

Im hoping to release 1.2.18 next week if all goes according to plan.

dregad

dregad

2015-11-03 08:47

developer   ~0051806

Patrice Morineau pointed out to me via e-mail, that in master branch commit 1a49a780 does not implement the change as documented in the commit message, in fact it reapplied b509ab38 - use string_display_line() - instead.

Issue is now properly (and hopefully definitively) fixed in b649c9c9.

It is worth mentioning that string_display_line() does effectively protect against the XSS attack vector, provided that the relevant MantisBT Formatting plugin configuration (text processing) is set to ON.

Related Changesets

MantisBT: master-1.2.x ee8100d6

2014-11-14 16:55:47

dregad

Details Diff
Fix 0017870: XSS in adm_config_report.php
mod - adm_config_report.php Diff File

MantisBT: master b509ab38

2014-11-14 16:55:47

dregad

Details Diff
Fix 0017870: XSS in adm_config_report.php
mod - adm_config_report.php Diff File

MantisBT: master-1.2.x 49c3d089

2014-11-14 16:55:47

dregad

Details Diff
Fix 0017870: XSS in adm_config_report.php

This is the correct fix for this issue, using string_attribute() to
escape the variable. Thanks to Paul Richards for pointing this out.
mod - adm_config_report.php Diff File

MantisBT: master 1a49a780

2014-11-14 16:55:47

dregad

Details Diff
Fix 0017870: XSS in adm_config_report.php

This is the correct fix for this issue, using string_attribute() to
escape the variable. Thanks to Paul Richards for pointing this out.
mod - adm_config_report.php Diff File

MantisBT: master-1.2.x 1bdc16e5

2014-11-15 10:36:28

dregad

Details Diff
Revert "Fix 0017870: XSS in adm_config_report.php"

This reverts commit ee8100d6752b9c5dc0dd360a2d903211c5f9eba7.

The wrong string API call was used, it should have been
string_attribute() and not string_display_line(). Thanks to
Paul Richards for pointing this out.
mod - adm_config_report.php Diff File

MantisBT: master b02557d8

2014-11-15 10:43:20

dregad

Details Diff
Revert "Fix 0017870: XSS in adm_config_report.php"

This reverts commit b509ab380f91e84d9683dbfdb02206b88a9b86fb.

The wrong string API call was used, it should have been
string_attribute() and not string_display_line(). Thanks to
Paul Richards for pointing this out.
mod - adm_config_report.php Diff File

MantisBT: master b649c9c9

2015-11-03 08:23:50

dregad

Details Diff
Fix 0017870: XSS in adm_config_report.php

This is the *real* correct fix for this issue (i.e. using string_attribute()
to escape the variable), which was supposed to have been fixed in commit
1a49a780a7881b6eb7a2384a432db072a5c6db79.

Unfortunately, for some reason I somehow ended up redoing the same
mistake of using string_display_line() again instead (see original fix
b509ab380f91e84d9683dbfdb02206b88a9b86fb, reverted in
b02557d88a2094330249dc06c2990184d2696372).

It is worth mentioning that string_display_line() *does* protect against
the XSS attack vector, provided that the relevant MantisBT Formatting
plugin configuration (text processing) is set to ON.

Thanks to Patrice Morineau for pointing this out.
mod - adm_config_report.php Diff File

Issue History

Date Modified Username Field Change
2014-11-13 16:13 alex91ar New Issue
2014-11-14 10:06 dregad Note Added: 0041837
2014-11-14 10:06 dregad Assigned To => dregad
2014-11-14 10:06 dregad Status new => acknowledged
2014-11-14 10:06 dregad Target Version => 1.2.18
2014-11-14 10:13 alex91ar Note Added: 0041838
2014-11-14 10:30 dregad Note Added: 0041839
2014-11-14 16:56 dregad Note Added: 0041840
2014-11-14 16:56 dregad Status acknowledged => confirmed
2014-11-14 16:56 dregad Product Version 1.2.17 => 1.2.13
2014-11-14 16:57 dregad Note Edited: 0041840 View Revisions
2014-11-14 17:08 dregad Note Edited: 0041840 View Revisions
2014-11-14 17:10 dregad Changeset attached => MantisBT master-1.2.x ee8100d6
2014-11-14 17:10 dregad Status confirmed => resolved
2014-11-14 17:10 dregad Resolution open => fixed
2014-11-14 17:10 dregad Fixed in Version => 1.2.18
2014-11-14 17:11 dregad Changeset attached => MantisBT master b509ab38
2014-11-14 17:20 dregad Note Added: 0041841
2014-11-14 17:32 dregad View Status private => public
2014-11-14 17:34 dregad Note Edited: 0041841 View Revisions
2014-11-15 09:07 alex91ar Note Added: 0041857
2014-11-15 11:08 dregad Changeset attached => MantisBT master-1.2.x 1bdc16e5
2014-11-15 11:08 dregad Changeset attached => MantisBT master-1.2.x 49c3d089
2014-11-15 11:08 dregad Changeset attached => MantisBT master b02557d8
2014-11-15 11:08 dregad Changeset attached => MantisBT master 1a49a780
2014-11-20 02:52 dregad Note Added: 0041870
2014-11-20 02:52 dregad Summary Security Issue: Cross-Site Scripting. => CVE-2014-8987: XSS in adm_config_report.php
2014-12-05 18:33 dregadmin Status resolved => closed
2015-11-03 08:43 dregad Changeset attached => MantisBT master b649c9c9
2015-11-03 08:47 dregad Note Added: 0051806