View Issue Details

IDProjectCategoryView StatusLast Update
0020956mantisbtsecuritypublic2016-08-15 09:02
ReporterkacperszurekAssigned Todregad 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.19 
Target Version1.2.20Fixed in Version1.2.20 
Summary0020956: CVE-2016-5364: Reflected XSS inside manage_custom_field_edit_page.php
Description

$_GET['return'] is not properly escaped inside manage_custom_field_edit_page.php.

strip_tags() function doesn't strip incomplete HTML tags, for example " accesskey="X" onclick="alert(1).

$f_return   = strip_tags( gpc_get_string( 'return', 'manage_custom_field_page.php' ) );
<input type="hidden" name="return" value="<?php echo $f_return ?>" />

Also print_bracket_link() function doesn't check if link is data: or javascript:.

There are two ways to exploit this issue.

First using accesskey inside hidden input field - see http://blog.portswigger.net/2015/11/xss-in-hidden-input-fields.html.

Second using javascript: URL which be displayed on manage_custom_field_update.php as javascript:alert('XSS'); and when clicked by user executed as JS.

Steps To Reproduce

XSS will be visible for Administrator and needs user interaction.

http://mantis/manage_custom_field_edit_page.php?field_id=1&return="; accesskey="X" onclick="alert(1)

or

http://mantis/manage_custom_field_edit_page.php?field_id=1&return=javascript:alert(%27XSS%27);

Additional Information

If issue is valid please credit me as:

Kacper Szurek
http://security.szurek.pl/

TagsNo tags attached.

Relationships

related to 0004044 closedint2str Cross Site Scripting Vulnerability 
has duplicate 0021090 closeddregad CVE-2016-5364: Reflected XSS inside manage_custom_field_edit_page.php 

Activities

dregad

dregad

2016-05-27 09:50

developer   ~0053226

Thank you Kacper for reporting this security issue in a detailed, professional way.

I confirm that the vulnerability also exists in 1.3.x branch, up to latest HEAD.

The accesskey attack vector is easy to fix, calling string_attribute() when echoing the form variable. According to git blame, unescaped echoing was introduced in 1.0.0 (:mantisbt:81ad05d4c9a057fce9fbcceae186bd2392f7a691:; MantisBT master 51f52b67 escaped one occurence, but missed the other).

The second one requires sanitizing the URL when generating the [Proceed] link, to make sure we don't process javascript URI schemes. Taking this one step further, we should apply the same logic used for redirection URLs (see also 0017648 and 0017648).

I will post a patch shortly, and would appreciate if you could take the time to test and confirm it correctly addresses the vulnerability you reported.

dregad

dregad

2016-05-27 09:56

developer  

0001-Fix-XSS-in-custom-fields-management.patch (2,764 bytes)
From c7f760f5e38723cd3ffdc9e8b269863bbd97bf92 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Fri, 27 May 2016 11:39:58 +0200
Subject: [PATCH] Fix XSS in custom fields management

Kacper Szurek (http://security.szurek.pl/) discovered an XSS
vulnerability in Custom fields management pages, caused by unescaped
output of 'return URL' GPC parameter. His report describes two ways to
exploit this issue:

1. using 'accesskey' inside hidden input field (see [1]) reflects XSS to
   the administrator in manage_custom_field_edit_page.php when the
   keyboard shortcut is actioned
2. using 'javascript:' URI scheme executes the code when the user clicks
   the [Proceed] link on manage_custom_field_update.php after updating
   a custom field

This commit fixes both attack vectors:

- properly escape the return URL prior to printing it on the hidden form
  field
- let html_operation_successful() sanitize the URL before displaying
  it, just like html_meta_redirect() does. In this case, if the
  string contains an URI scheme, it will be replaced by 'index.php'

[1] http://blog.portswigger.net/2015/11/xss-in-hidden-input-fields.html

Fixes #20956
---
 core/html_api.php                 | 2 +-
 manage_custom_field_edit_page.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/html_api.php b/core/html_api.php
index b8a3ac3..55696e3 100644
--- a/core/html_api.php
+++ b/core/html_api.php
@@ -647,7 +647,7 @@ function html_operation_successful( $p_redirect_url, $p_message = '' ) {
 	}
 
 	echo lang_get( 'operation_successful' ).'<br />';
-	print_bracket_link( $p_redirect_url, lang_get( 'proceed' ) );
+	print_bracket_link( string_sanitize_url( $p_redirect_url ), lang_get( 'proceed' ) );
 	echo '</div>';
 }
 
diff --git a/manage_custom_field_edit_page.php b/manage_custom_field_edit_page.php
index 008d457..b29cfd6 100644
--- a/manage_custom_field_edit_page.php
+++ b/manage_custom_field_edit_page.php
@@ -73,7 +73,7 @@ $t_definition = custom_field_get_definition( $f_field_id );
 			<legend><span><?php echo lang_get( 'edit_custom_field_title' ) ?></span></legend>
 			<?php echo form_security_field( 'manage_custom_field_update' ); ?>
 			<input type="hidden" name="field_id" value="<?php echo $f_field_id ?>" />
-			<input type="hidden" name="return" value="<?php echo $f_return ?>" />
+			<input type="hidden" name="return" value="<?php echo string_attribute( $f_return ); ?>" />
 			<div class="field-container">
 				<label for="custom-field-name"><span><?php echo lang_get( 'custom_field_name' ) ?></span></label>
 				<span class="input"><input type="text" id="custom-field-name" name="name" size="32" maxlength="64" value="<?php echo string_attribute( $t_definition['name'] ) ?>" /></span>
-- 
1.9.1

dregad

dregad

2016-05-31 11:35

developer   ~0053240

Feedback received by e-mail

---------- Forwarded message ----------
From: Kacper Szurek
Date: 29 May 2016 at 20:03

Hi!

Those changes looks good for 1.3 rc version.

Did you plan to make fix for 1.2.19 ?

Cheers,
Kacper

2016-05-29 14:26 GMT+02:00 Damien Regad wrote:

Hello,

Not sure if you saw my earlier note on the issue you reported [1], would appreciate your feedback if you could test the proposed fix and hopefully confirm it does address the vulnerability.

As we're currently being targeted by spammers, we had to temporarily set our issue tracker to read-only for reporters. Feel free to respond by e-mail.

Cheers,
Damien

[1] https://www.mantisbt.org/bugs/view.php?id=20956#c53226
dregad

dregad

2016-05-31 11:36

developer   ~0053241

Did you plan to make fix for 1.2.19 ?

Yes I will backport it.

I'll request a CVE and make the issue public next week as time allows. You will get proper credit of course.

dregad

dregad

2016-06-06 18:28

developer  

0001-Fix-XSS-in-custom-fields-management-12x.patch (4,057 bytes)
From 5068df2dcf79c34741c746c9b27e0083f2a374da Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Tue, 7 Jun 2016 00:25:37 +0200
Subject: [PATCH] Fix XSS in custom fields management

Kacper Szurek (http://security.szurek.pl/) discovered an XSS
vulnerability in Custom fields management pages, caused by unescaped
output of 'return URL' GPC parameter. His report describes two ways to
exploit this issue:

1. using 'accesskey' inside hidden input field (see [1]) reflects XSS to
   the administrator in manage_custom_field_edit_page.php when the
   keyboard shortcut is actioned
2. using 'javascript:' URI scheme executes the code when the user clicks
   the [Proceed] link on manage_custom_field_update.php after updating
   a custom field

This commit fixes both attack vectors:

- properly escape the return URL prior to printing it on the hidden form
  field
- let html_operation_successful() sanitize the URL before displaying
  it, just like html_meta_redirect() does. In this case, if the
  string contains an URI scheme, it will be replaced by 'index.php'

[1] http://blog.portswigger.net/2015/11/xss-in-hidden-input-fields.html

Fixes #20956

This is a backport from master 3f2779b4c6dc8d465fb73c08cfa1d806184d2e79.
---
 account_prefs_update.php         | 2 +-
 manage_config_revert.php         | 2 +-
 manage_custom_field_delete.php   | 2 +-
 manage_custom_field_update.php   | 2 +-
 print_all_bug_options_update.php | 2 +-
 set_project.php                  | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/account_prefs_update.php b/account_prefs_update.php
index 672c65b..74e5665 100644
--- a/account_prefs_update.php
+++ b/account_prefs_update.php
@@ -115,6 +115,6 @@
 	echo lang_get( 'operation_successful' );
 
 	echo '<br />';
-	print_bracket_link( $f_redirect_url, lang_get( 'proceed' ) );
+	print_bracket_link( string_sanitize_url( $f_redirect_url ), lang_get( 'proceed' ) );
 	echo '<br /></div>';
 	html_page_bottom();
diff --git a/manage_config_revert.php b/manage_config_revert.php
index 8c2d029..69bc0bd 100644
--- a/manage_config_revert.php
+++ b/manage_config_revert.php
@@ -65,7 +65,7 @@
 <div align="center">
 <?php
 	echo lang_get( 'operation_successful' ).'<br />';
-	print_bracket_link( $t_redirect_url, lang_get( 'proceed' ) );
+	print_bracket_link( string_sanitize_url( $t_redirect_url ), lang_get( 'proceed' ) );
 ?>
 </div>
 
diff --git a/manage_custom_field_delete.php b/manage_custom_field_delete.php
index 62c56fb..75325e1 100644
--- a/manage_custom_field_delete.php
+++ b/manage_custom_field_delete.php
@@ -58,7 +58,7 @@
 <div align="center">
 <?php
 	echo lang_get( 'operation_successful' ) . '<br />';
-	print_bracket_link( $f_return, lang_get( 'proceed' ) );
+	print_bracket_link( string_sanitize_url( $f_return ), lang_get( 'proceed' ) );
 ?>
 </div>
 
diff --git a/manage_custom_field_update.php b/manage_custom_field_update.php
index d56dbfb..befbc06 100644
--- a/manage_custom_field_update.php
+++ b/manage_custom_field_update.php
@@ -64,7 +64,7 @@
 
 	echo lang_get( 'operation_successful' ) . '<br />';
 
-	print_bracket_link( $f_return, lang_get( 'proceed' ) );
+	print_bracket_link( string_sanitize_url( $f_return ), lang_get( 'proceed' ) );
 
 	echo '</div>';
 
diff --git a/print_all_bug_options_update.php b/print_all_bug_options_update.php
index ab1a1d4..bec71e0 100644
--- a/print_all_bug_options_update.php
+++ b/print_all_bug_options_update.php
@@ -79,6 +79,6 @@
 	}
 
 	echo '<br />';
-	print_bracket_link( $f_redirect_url, lang_get( 'proceed' ) );
+	print_bracket_link( string_sanitize_url( $f_redirect_url ), lang_get( 'proceed' ) );
 	echo '<br /></div>';
 	html_page_bottom();
diff --git a/set_project.php b/set_project.php
index e09155d..aeed92b 100644
--- a/set_project.php
+++ b/set_project.php
@@ -109,7 +109,7 @@
 <?php
 	echo lang_get( 'operation_successful' ).'<br />';
 
-	print_bracket_link( $t_redirect_url, lang_get( 'proceed' ) );
+	print_bracket_link( string_sanitize_url( $t_redirect_url ), lang_get( 'proceed' ) );
 ?>
 </div>
 
-- 
2.7.4

dregad

dregad

2016-06-06 18:29

developer   ~0053275

Attached proposed backport to fix the issue in 1.2.x branch.

dregad

dregad

2016-06-10 20:08

developer   ~0053314

CVE request http://thread.gmane.org/gmane.comp.security.oss.general/19762

dregad

dregad

2016-06-11 14:38

developer   ~0053319

CVE-2016-5364 was assigned

Related Changesets

MantisBT: master 11ab3d6c

2016-05-27 05:39:58

dregad

Details Diff
Fix XSS in custom fields management

Kacper Szurek (http://security.szurek.pl/) discovered an XSS
vulnerability in Custom fields management pages, caused by unescaped
output of 'return URL' GPC parameter. His report describes two ways to
exploit this issue:

1. using 'accesskey' inside hidden input field (see [1]) reflects XSS to
the administrator in manage_custom_field_edit_page.php when the
keyboard shortcut is actioned
2. using 'javascript:' URI scheme executes the code when the user clicks
the [Proceed] link on manage_custom_field_update.php after updating
a custom field

This commit fixes both attack vectors:

- properly escape the return URL prior to printing it on the hidden form
field
- let html_operation_successful() sanitize the URL before displaying
it, just like html_meta_redirect() does. In this case, if the
string contains an URI scheme, it will be replaced by 'index.php'

[1] http://blog.portswigger.net/2015/11/xss-in-hidden-input-fields.html

Fixes 0020956
mod - core/html_api.php Diff File
mod - manage_custom_field_edit_page.php Diff File

MantisBT: master-1.2.x 5068df2d

2016-06-06 18:25:37

dregad

Details Diff
Fix XSS in custom fields management

Kacper Szurek (http://security.szurek.pl/) discovered an XSS
vulnerability in Custom fields management pages, caused by unescaped
output of 'return URL' GPC parameter. His report describes two ways to
exploit this issue:

1. using 'accesskey' inside hidden input field (see [1]) reflects XSS to
the administrator in manage_custom_field_edit_page.php when the
keyboard shortcut is actioned
2. using 'javascript:' URI scheme executes the code when the user clicks
the [Proceed] link on manage_custom_field_update.php after updating
a custom field

This commit fixes both attack vectors:

- properly escape the return URL prior to printing it on the hidden form
field
- let html_operation_successful() sanitize the URL before displaying
it, just like html_meta_redirect() does. In this case, if the
string contains an URI scheme, it will be replaced by 'index.php'

[1] http://blog.portswigger.net/2015/11/xss-in-hidden-input-fields.html

Fixes 0020956

This is a backport from master 3f2779b4c6dc8d465fb73c08cfa1d806184d2e79.
mod - account_prefs_update.php Diff File
mod - manage_config_revert.php Diff File
mod - manage_custom_field_delete.php Diff File
mod - manage_custom_field_update.php Diff File
mod - print_all_bug_options_update.php Diff File
mod - set_project.php Diff File

Issue History

Date Modified Username Field Change
2016-05-26 12:43 kacperszurek New Issue
2016-05-26 13:42 atrol Status new => confirmed
2016-05-26 13:51 atrol Relationship added related to 0004044
2016-05-27 09:50 dregad Assigned To => dregad
2016-05-27 09:50 dregad Status confirmed => assigned
2016-05-27 09:50 dregad Note Added: 0053226
2016-05-27 09:56 dregad File Added: 0001-Fix-XSS-in-custom-fields-management.patch
2016-05-31 11:35 dregad Note Added: 0053240
2016-05-31 11:36 dregad Note Added: 0053241
2016-05-31 11:37 dregad Target Version => 1.2.20
2016-06-06 18:28 dregad File Added: 0001-Fix-XSS-in-custom-fields-management-12x.patch
2016-06-06 18:29 dregad Note Added: 0053275
2016-06-10 20:02 dregad Changeset attached => MantisBT master-1.2.x 5068df2d
2016-06-10 20:02 dregad Status assigned => resolved
2016-06-10 20:02 dregad Resolution open => fixed
2016-06-10 20:02 dregad Fixed in Version => 1.2.20
2016-06-10 20:02 dregad Changeset attached => MantisBT master 11ab3d6c
2016-06-10 20:08 dregad Note Added: 0053314
2016-06-10 20:08 dregad View Status private => public
2016-06-11 14:38 dregad Summary Reflected XSS inside manage_custom_field_edit_page.php => CVE-2016-5364: Reflected XSS inside manage_custom_field_edit_page.php
2016-06-11 14:38 dregad Note Added: 0053319
2016-06-11 14:41 dregad Issue cloned: 0021090
2016-06-11 14:41 dregad Relationship added has duplicate 0021090
2016-08-15 09:02 dregad Status resolved => closed