View Issue Details

IDProjectCategoryView StatusLast Update
0021263mantisbtsecuritypublic2016-08-29 18:25
Reporterj_schultzAssigned Tovboctor 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.0 
Target Version1.3.1Fixed in Version1.3.1 
Summary0021263: CVE-2016-7111: Content Security Policy is weakened by Gravatar plugin
Description

When sending the same HTTP variable to PHP twice via the header() function, the old value is replaced. The default Gravatar plugin sets its own "Content-Security-Policy" HTTP header, which overrides the more strict defaults normally used by Mantis.
Mantis should probably offer a plugin hook (as once discussed in 0011826:0025958) so that any plugin can add its wanted CSP rules before the header is sent.

Steps To Reproduce

Enable Gravatars and check the HTTP headers.

TagsNo tags attached.

Relationships

related to 0021611 closeddregad CVE-2016-6837: XSS vulnerability in view_all_bug_page.php 

Activities

dregad

dregad

2016-08-16 17:53

developer   ~0053820

@atrol I'm not sure I understand what the relationship with 0021611 is.

atrol

atrol

2016-08-16 18:07

developer   ~0053822

0021611 can't be reproduced (at least with FF) if gravatar plugin is not enabled.

Enabling the plugin overrides the CSP headers and we send just
img-src 'self' http://www.gravatar.com/

Without gravatar plugin enabled we send
default-src 'self'; frame-ancestors 'none'; style-src 'self'; script-src 'self'
which prevents FF from executing the code.

dregad

dregad

2016-08-16 19:25

developer   ~0053823

Thanks for the feedback Roland.

@vboctor this needs to be fixed ASAP, if not permanently as per j_schultz's suggestion, then at least implement a workaround to make the Gravatar plugin not break the default MantisBT CSP.

Can you please look into it ?

atrol

atrol

2016-08-17 02:35

developer   ~0053830

Related discussion
https://www.mantisbt.org/forums/viewtopic.php?f=2&t=23974

vboctor

vboctor

2016-08-17 02:58

manager   ~0053831

PR: https://github.com/mantisbt/mantisbt/pull/859

dregad

dregad

2016-08-27 17:07

developer   ~0053898

Last edited: 2016-08-28 18:23

View 2 revisions

I sent a CVE request to the OSS-security mailing list [1]; will update this with the ID once it's been assigned.

[1] http://www.openwall.com/lists/oss-security/2016/08/28/1

dregad

dregad

2016-08-29 18:25

developer   ~0053907

CVE assignment http://www.openwall.com/lists/oss-security/2016/08/29/2

Related Changesets

MantisBT: master-1.3.x a905dd01

2016-08-17 02:25:40

vboctor


Committer: dregad Details Diff
Add API for Content-Security-Policy

Add APIs to allow plugins to change the Content-Security-Policy header.

Fixes 0021263
mod - core/http_api.php Diff File

MantisBT: master-1.3.x f24a3e9c

2016-08-17 02:44:27

vboctor


Committer: dregad Details Diff
Use Content-Security-Policy API in Gravatar

Fixes 0021263
mod - plugins/Gravatar/Gravatar.php Diff File

MantisBT: master-1.3.x 9f359863

2016-08-17 02:50:43

vboctor


Committer: dregad Details Diff
Protect against calling http_csp_add() too late

If the CSP header is sent and then http_csp_add() is called, trigger error.

Fixes 0021263
mod - core/http_api.php Diff File

MantisBT: master-1.3.x c13b3253

2016-08-25 23:19:53

vboctor


Committer: dregad Details Diff
Add EVENT_CORE_HEADERS event

Called before core emits headers enabling plugins to emit their
own headers or call APIs that shape the value of headers emitted by
core like Content-Security-Policy.

Fixes 0021263
mod - core.php Diff File
mod - core/events_inc.php Diff File
mod - docbook/Developers_Guide/en-US/Events_Reference.xml Diff File
mod - plugins/Gravatar/Gravatar.php Diff File

MantisBT: master-1.3.x b3511d2f

2016-08-27 17:01:15

dregad

Details Diff
Fix weakened CSP by Gravatar plugin

Merge vboctor's branch 'issue_21263_csp_headers_13x'

Fixes 0021263
mod - core.php Diff File
mod - core/events_inc.php Diff File
mod - core/http_api.php Diff File
mod - docbook/Developers_Guide/en-US/Events_Reference.xml Diff File
mod - plugins/Gravatar/Gravatar.php Diff File

Issue History

Date Modified Username Field Change
2016-07-11 19:10 j_schultz New Issue
2016-07-12 02:42 atrol Status new => confirmed
2016-07-12 02:42 atrol Product Version => 1.3.0
2016-07-24 15:39 atrol Target Version => 1.3.1
2016-08-15 05:50 atrol Relationship added related to 0021611
2016-08-16 17:53 dregad Note Added: 0053820
2016-08-16 18:07 atrol Note Added: 0053822
2016-08-16 19:25 dregad Note Added: 0053823
2016-08-17 02:35 atrol Note Added: 0053830
2016-08-17 02:58 vboctor Note Added: 0053831
2016-08-27 17:03 dregad Changeset attached => MantisBT master-1.3.x a905dd01
2016-08-27 17:03 dregad Changeset attached => MantisBT master-1.3.x f24a3e9c
2016-08-27 17:03 dregad Changeset attached => MantisBT master-1.3.x 9f359863
2016-08-27 17:03 dregad Changeset attached => MantisBT master-1.3.x c13b3253
2016-08-27 17:03 dregad Changeset attached => MantisBT master-1.3.x b3511d2f
2016-08-27 17:03 dregad Assigned To => dregad
2016-08-27 17:03 dregad Status confirmed => resolved
2016-08-27 17:03 dregad Resolution open => fixed
2016-08-27 17:03 dregad Fixed in Version => 1.3.1
2016-08-27 17:06 dregad Assigned To dregad => vboctor
2016-08-27 17:07 dregad Note Added: 0053898
2016-08-28 01:12 vboctor Status resolved => closed
2016-08-28 18:23 dregad Note Edited: 0053898 View Revisions
2016-08-29 18:25 dregad Summary Content Security Policy is weakened by Gravatar plugin => CVE-2016-7111: Content Security Policy is weakened by Gravatar plugin
2016-08-29 18:25 dregad Note Added: 0053907