View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017870 | mantisbt | security | public | 2014-11-13 16:13 | 2015-11-03 08:47 |
Reporter | alex91ar | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.13 | ||||
Target Version | 1.2.18 | Fixed in Version | 1.2.18 | ||
Summary | 0017870: CVE-2014-8987: XSS in adm_config_report.php | ||||
Description | Hello there, It should be easily fixed by escaping the double quotes and "< >". Let me know if you need any other information. | ||||
Steps To Reproduce | This URL should be used in order to reproduce the issue: | ||||
Tags | No tags attached. | ||||
Hi Alex, Many thanks for the bug report. I'll investigate and let you know. |
|
Hi there, Thanks for your assistance. |
|
I'm only asking to avoid sending multiple requests for the same issue as it then becomes a source of confusion. So don't worry, I'll take care of it (in fact I prefer to do it myself so I'm sure that all relevant information is provided right from the start, it's easier than making changes afterwards). If you're interested in learning more about this process, see http://cve.mitre.org including their FAQ. |
|
OK, I can reproduce this in 1.2.x. Severity of issue is mitigated by the fact that attacker would need to be logged in with a high-privileged account (administrator by default) to access this page. On 1.3.x, browsers supporting content security policy are not affected by this. |
|
Alex, I'm preparing the CVE request; please let me know how you would like to be credited for this finding. http://permalink.gmane.org/gmane.comp.security.oss.general/14706 |
|
Hi there, An attacker would just need to download a copy of the software, install it in order to generate a link with the payload embedded. Regarding the CVE, I would like to be credited with my full name. (Alejo Popovici). Thank you for everything, and I'll let you know if I find any other issues. Best regards, |
|
Thanks for the positive feedback Alex, it's always nice to hear. I'm hoping to release 1.2.18 next week if all goes according to plan. |
|
Patrice Morineau pointed out to me via e-mail, that in master branch commit 1a49a780 does not implement the change as documented in the commit message, in fact it reapplied b509ab38 - use string_display_line() - instead. Issue is now properly (and hopefully definitively) fixed in b649c9c9. It is worth mentioning that string_display_line() does effectively protect against the XSS attack vector, provided that the relevant MantisBT Formatting plugin configuration (text processing) is set to ON. |
|
MantisBT: master-1.2.x ee8100d6 2014-11-14 11:55 Details Diff |
Fix 0017870: XSS in adm_config_report.php |
Affected Issues 0017870 |
|
mod - adm_config_report.php | Diff File | ||
MantisBT: master b509ab38 2014-11-14 11:55 Details Diff |
Fix 0017870: XSS in adm_config_report.php |
Affected Issues 0017870 |
|
mod - adm_config_report.php | Diff File | ||
MantisBT: master-1.2.x 49c3d089 2014-11-14 11:55 Details Diff |
Fix 0017870: XSS in adm_config_report.php This is the correct fix for this issue, using string_attribute() to escape the variable. Thanks to Paul Richards for pointing this out. |
Affected Issues 0017870 |
|
mod - adm_config_report.php | Diff File | ||
MantisBT: master 1a49a780 2014-11-14 11:55 Details Diff |
Fix 0017870: XSS in adm_config_report.php This is the correct fix for this issue, using string_attribute() to escape the variable. Thanks to Paul Richards for pointing this out. |
Affected Issues 0017870 |
|
mod - adm_config_report.php | Diff File | ||
MantisBT: master-1.2.x 1bdc16e5 2014-11-15 05:36 Details Diff |
Revert "Fix 0017870: XSS in adm_config_report.php" This reverts commit ee8100d6752b9c5dc0dd360a2d903211c5f9eba7. The wrong string API call was used, it should have been string_attribute() and not string_display_line(). Thanks to Paul Richards for pointing this out. |
Affected Issues 0017870 |
|
mod - adm_config_report.php | Diff File | ||
MantisBT: master b02557d8 2014-11-15 05:43 Details Diff |
Revert "Fix 0017870: XSS in adm_config_report.php" This reverts commit b509ab380f91e84d9683dbfdb02206b88a9b86fb. The wrong string API call was used, it should have been string_attribute() and not string_display_line(). Thanks to Paul Richards for pointing this out. |
Affected Issues 0017870 |
|
mod - adm_config_report.php | Diff File | ||
MantisBT: master b649c9c9 2015-11-03 03:23 Details Diff |
Fix 0017870: XSS in adm_config_report.php This is the *real* correct fix for this issue (i.e. using string_attribute() to escape the variable), which was supposed to have been fixed in commit 1a49a780a7881b6eb7a2384a432db072a5c6db79. Unfortunately, for some reason I somehow ended up redoing the same mistake of using string_display_line() again instead (see original fix b509ab380f91e84d9683dbfdb02206b88a9b86fb, reverted in b02557d88a2094330249dc06c2990184d2696372). It is worth mentioning that string_display_line() *does* protect against the XSS attack vector, provided that the relevant MantisBT Formatting plugin configuration (text processing) is set to ON. Thanks to Patrice Morineau for pointing this out. |
Affected Issues 0017870 |
|
mod - adm_config_report.php | Diff File |