View Issue Details

IDProjectCategoryView StatusLast Update
0021090mantisbtsecuritypublic2016-06-12 00:42
ReporterdregadAssigned Todregad 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.0-beta.1 
Target Version1.3.0-rc.2Fixed in Version1.3.0-rc.2 
Summary0021090: CVE-2016-5364: Reflected XSS inside manage_custom_field_edit_page.php
Description

This is a clone of 0020956 to track the vulnerability in 1.3.x branch

TagsNo tags attached.

Relationships

duplicate of 0020956 closeddregad CVE-2016-5364: Reflected XSS inside manage_custom_field_edit_page.php 

Activities

There are no notes attached to this issue.

Related Changesets

MantisBT: master 11ab3d6c

2016-05-27 05:39:58

dregad

Details Diff
Fix XSS in custom fields management

Kacper Szurek (http://security.szurek.pl/) discovered an XSS
vulnerability in Custom fields management pages, caused by unescaped
output of 'return URL' GPC parameter. His report describes two ways to
exploit this issue:

1. using 'accesskey' inside hidden input field (see [1]) reflects XSS to
the administrator in manage_custom_field_edit_page.php when the
keyboard shortcut is actioned
2. using 'javascript:' URI scheme executes the code when the user clicks
the [Proceed] link on manage_custom_field_update.php after updating
a custom field

This commit fixes both attack vectors:

- properly escape the return URL prior to printing it on the hidden form
field
- let html_operation_successful() sanitize the URL before displaying
it, just like html_meta_redirect() does. In this case, if the
string contains an URI scheme, it will be replaced by 'index.php'

[1] http://blog.portswigger.net/2015/11/xss-in-hidden-input-fields.html

Fixes 0020956
mod - core/html_api.php Diff File
mod - manage_custom_field_edit_page.php Diff File

Issue History

Date Modified Username Field Change
2016-06-11 14:41 dregad New Issue
2016-06-11 14:41 dregad Status new => assigned
2016-06-11 14:41 dregad Assigned To => dregad
2016-06-11 14:41 dregad Issue generated from: 0020956
2016-06-11 14:41 dregad Relationship added duplicate of 0020956
2016-06-11 14:42 dregad Changeset attached => MantisBT master 11ab3d6c
2016-06-11 14:42 dregad Status assigned => resolved
2016-06-11 14:42 dregad Resolution open => fixed
2016-06-11 14:42 dregad Fixed in Version => 1.3.0-rc.2
2016-06-12 00:42 vboctor Status resolved => closed