Anonymous Login
2016-08-27 02:21 EDT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ]
IDProjectCategoryView StatusLast Update
0017870mantisbtsecuritypublic2015-11-03 08:47
Reporteralex91ar 
Assigned Todregad 
PriorityhighSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
Product Version1.2.13 
Target Version1.2.18Fixed in Version1.2.18 
Summary0017870: CVE-2014-8987: XSS in adm_config_report.php
DescriptionHello there,
Today I bring you another security issue that I found while testing mantis.
It seems that one of the parameters passed by get to the application, is not being sanitized before being reflected.

It should be easily fixed by escaping the double quotes and "< >".

Let me know if you need any other information.
Best regards,
Alex.
Steps To ReproduceThis URL should be used in order to reproduce the issue:
/adm_config_report.php?config_option=%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E
TagsNo tags attached.
Attached Files

-Relationships
+Relationships

-Notes
dregad

~0041837

dregad (developer)

Hi Alex,

Many thanks for the bug report. I'll investigate and let you know.
Did you reserve a CVE for this issue ?
alex91ar

~0041838

alex91ar (reporter)

Hi there,
No, I haven't reserved a CVE for this issue.
I'm wondering, is this something I should be doing? How is it done?
I also reported the captcha bypass issue, and I don't have a CVE for that one either.
I'm sorry I'm very new to all this and I don't have a CVE yet.

Thanks for your assistance.
Best regards,
Alex.
dregad

~0041839

dregad (developer)

I'm only asking to avoid sending multiple requests for the same issue as it then becomes a source of confusion. So don't worry, I'll take care of it (in fact I prefer to do it myself so I'm sure that all relevant information is provided right from the start, it's easier than making changes afterwards).

If you're interested in learning more about this process, see http://cve.mitre.org including their FAQ.
dregad

~0041840

dregad (developer)

Last edited: 2014-11-14 17:08

View 3 revisions

OK, I can reproduce this in 1.2.x.

Severity of issue is mitigated by the fact that attacker would need to be logged in with a high-privileged account (administrator by default) to access this page.

On 1.3.x, browsers supporting content security policy are not affected by this.

dregad

~0041841

dregad (developer)

Last edited: 2014-11-14 17:34

View 2 revisions

Alex, I'm preparing the CVE request; please let me know how you would like to be credited for this finding.

http://permalink.gmane.org/gmane.comp.security.oss.general/14706

alex91ar

~0041857

alex91ar (reporter)

Hi there,
Although it's true that it's mitigated in browsers that support content security policy, be careful because these can be bypassed.
Plus the attacker would not need to be logged with a high-privileged account, since the vector of attack would be to make an administrator click on a link by social-engineering or other methods, that would be embedded with the malicious payload.

An attacker would just need to download a copy of the software, install it in order to generate a link with the payload embedded.

Regarding the CVE, I would like to be credited with my full name. (Alejo Popovici).

Thank you for everything, and I'll let you know if I find any other issues.
Let me tell you that you are by far the most responsive developer team that I've ever contacted. I have outstanding security bug reports for a month that haven't even been acknowledged yet.

Best regards,
Alex.
dregad

~0041870

dregad (developer)

Thanks for the positive feedback Alex, it's always nice to hear.

I'm hoping to release 1.2.18 next week if all goes according to plan.
dregad

~0051806

dregad (developer)

Patrice Morineau pointed out to me via e-mail, that in master branch commit 1a49a780 does not implement the change as documented in the commit message, in fact it reapplied b509ab38 - use string_display_line() - instead.

Issue is now properly (and hopefully definitively) fixed in b649c9c9.

It is worth mentioning that string_display_line() *does* effectively protect against the XSS attack vector, provided that the relevant MantisBT Formatting plugin configuration (text processing) is set to ON.
+Notes

-Related Changesets
MantisBT: master-1.2.x ee8100d6
Timestamp: 2014-11-14 16:55:47
Author: dregad
Details ] Diff ]
Fix 0017870: XSS in adm_config_report.php
mod - adm_config_report.php Diff ] File ]
MantisBT: master b509ab38
Timestamp: 2014-11-14 16:55:47
Author: dregad
Details ] Diff ]
Fix 0017870: XSS in adm_config_report.php
mod - adm_config_report.php Diff ] File ]
MantisBT: master-1.2.x 49c3d089
Timestamp: 2014-11-14 16:55:47
Author: dregad
Details ] Diff ]
Fix 0017870: XSS in adm_config_report.php

This is the correct fix for this issue, using string_attribute() to
escape the variable. Thanks to Paul Richards for pointing this out.
mod - adm_config_report.php Diff ] File ]
MantisBT: master 1a49a780
Timestamp: 2014-11-14 16:55:47
Author: dregad
Details ] Diff ]
Fix 0017870: XSS in adm_config_report.php

This is the correct fix for this issue, using string_attribute() to
escape the variable. Thanks to Paul Richards for pointing this out.
mod - adm_config_report.php Diff ] File ]
MantisBT: master-1.2.x 1bdc16e5
Timestamp: 2014-11-15 10:36:28
Author: dregad
Details ] Diff ]
Revert "Fix 0017870: XSS in adm_config_report.php"

This reverts commit ee8100d6752b9c5dc0dd360a2d903211c5f9eba7.

The wrong string API call was used, it should have been
string_attribute() and not string_display_line(). Thanks to
Paul Richards for pointing this out.
mod - adm_config_report.php Diff ] File ]
MantisBT: master b02557d8
Timestamp: 2014-11-15 10:43:20
Author: dregad
Details ] Diff ]
Revert "Fix 0017870: XSS in adm_config_report.php"

This reverts commit b509ab380f91e84d9683dbfdb02206b88a9b86fb.

The wrong string API call was used, it should have been
string_attribute() and not string_display_line(). Thanks to
Paul Richards for pointing this out.
mod - adm_config_report.php Diff ] File ]
MantisBT: master b649c9c9
Timestamp: 2015-11-03 08:23:50
Author: dregad
Details ] Diff ]
Fix 0017870: XSS in adm_config_report.php

This is the *real* correct fix for this issue (i.e. using string_attribute()
to escape the variable), which was supposed to have been fixed in commit
1a49a780a7881b6eb7a2384a432db072a5c6db79.

Unfortunately, for some reason I somehow ended up redoing the same
mistake of using string_display_line() again instead (see original fix
b509ab380f91e84d9683dbfdb02206b88a9b86fb, reverted in
b02557d88a2094330249dc06c2990184d2696372).

It is worth mentioning that string_display_line() *does* protect against
the XSS attack vector, provided that the relevant MantisBT Formatting
plugin configuration (text processing) is set to ON.

Thanks to Patrice Morineau for pointing this out.
mod - adm_config_report.php Diff ] File ]

+Related Changesets

-Issue History
Date Modified Username Field Change
2014-11-13 16:13 alex91ar New Issue
2014-11-14 10:06 dregad Note Added: 0041837
2014-11-14 10:06 dregad Assigned To => dregad
2014-11-14 10:06 dregad Status new => acknowledged
2014-11-14 10:06 dregad Target Version => 1.2.18
2014-11-14 10:13 alex91ar Note Added: 0041838
2014-11-14 10:30 dregad Note Added: 0041839
2014-11-14 16:56 dregad Note Added: 0041840
2014-11-14 16:56 dregad Status acknowledged => confirmed
2014-11-14 16:56 dregad Product Version 1.2.17 => 1.2.13
2014-11-14 16:57 dregad Note Edited: 0041840 View Revisions
2014-11-14 17:08 dregad Note Edited: 0041840 View Revisions
2014-11-14 17:10 dregad Changeset attached => MantisBT master-1.2.x ee8100d6
2014-11-14 17:10 dregad Status confirmed => resolved
2014-11-14 17:10 dregad Resolution open => fixed
2014-11-14 17:10 dregad Fixed in Version => 1.2.18
2014-11-14 17:11 dregad Changeset attached => MantisBT master b509ab38
2014-11-14 17:20 dregad Note Added: 0041841
2014-11-14 17:32 dregad View Status private => public
2014-11-14 17:34 dregad Note Edited: 0041841 View Revisions
2014-11-15 09:07 alex91ar Note Added: 0041857
2014-11-15 11:08 dregad Changeset attached => MantisBT master-1.2.x 1bdc16e5
2014-11-15 11:08 dregad Changeset attached => MantisBT master-1.2.x 49c3d089
2014-11-15 11:08 dregad Changeset attached => MantisBT master b02557d8
2014-11-15 11:08 dregad Changeset attached => MantisBT master 1a49a780
2014-11-20 02:52 dregad Note Added: 0041870
2014-11-20 02:52 dregad Summary Security Issue: Cross-Site Scripting. => CVE-2014-8987: XSS in adm_config_report.php
2014-12-05 18:33 dregadmin Status resolved => closed
2015-11-03 08:43 dregad Changeset attached => MantisBT master b649c9c9
2015-11-03 08:47 dregad Note Added: 0051806
+Issue History