0021263: CVE-2016-7111: Content Security Policy is weakened by Gravatar plugin - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0021263	mantisbt	security	public	2016-07-11 19:10	2016-08-29 18:25

Reporter	j_schultz	Assigned To	vboctor
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.3.0
Target Version	1.3.1	Fixed in Version	1.3.1

Summary	0021263: CVE-2016-7111: Content Security Policy is weakened by Gravatar plugin
Description	When sending the same HTTP variable to PHP twice via the header() function, the old value is replaced. The default Gravatar plugin sets its own "Content-Security-Policy" HTTP header, which overrides the more strict defaults normally used by Mantis. Mantis should probably offer a plugin hook (as once discussed in 0011826:0025958) so that any plugin can add its wanted CSP rules before the header is sent.
Steps To Reproduce	Enable Gravatars and check the HTTP headers.
Tags	No tags attached.

dregad 2016-08-16 17:53 developer ~0053820	@atrol I'm not sure I understand what the relationship with 0021611 is.

atrol 2016-08-16 18:07 developer ~0053822	0021611 can't be reproduced (at least with FF) if gravatar plugin is not enabled. Enabling the plugin overrides the CSP headers and we send just img-src 'self' http://www.gravatar.com/ Without gravatar plugin enabled we send default-src 'self'; frame-ancestors 'none'; style-src 'self'; script-src 'self' which prevents FF from executing the code.

dregad 2016-08-16 19:25 developer ~0053823	Thanks for the feedback Roland. @vboctor this needs to be fixed ASAP, if not permanently as per j_schultz's suggestion, then at least implement a workaround to make the Gravatar plugin not break the default MantisBT CSP. Can you please look into it ?

atrol 2016-08-17 02:35 developer ~0053830	Related discussion https://www.mantisbt.org/forums/viewtopic.php?f=2&t=23974

vboctor 2016-08-17 02:58 manager ~0053831	PR: https://github.com/mantisbt/mantisbt/pull/859

dregad 2016-08-27 17:07 developer ~0053898 Last edited: 2016-08-28 18:23	I sent a CVE request to the OSS-security mailing list [1]; will update this with the ID once it's been assigned. [1] http://www.openwall.com/lists/oss-security/2016/08/28/1

dregad 2016-08-29 18:25 developer ~0053907	CVE assignment http://www.openwall.com/lists/oss-security/2016/08/29/2

MantisBT: master-1.3.x a905dd01 2016-08-16 22:25 vboctor Committer: dregad Details Diff	Add API for Content-Security-Policy Add APIs to allow plugins to change the Content-Security-Policy header. Fixes 0021263		Affected Issues 0021263
	mod - core/http_api.php		Diff File
MantisBT: master-1.3.x f24a3e9c 2016-08-16 22:44 vboctor Committer: dregad Details Diff	Use Content-Security-Policy API in Gravatar Fixes 0021263		Affected Issues 0021263
	mod - plugins/Gravatar/Gravatar.php		Diff File
MantisBT: master-1.3.x 9f359863 2016-08-16 22:50 vboctor Committer: dregad Details Diff	Protect against calling http_csp_add() too late If the CSP header is sent and then http_csp_add() is called, trigger error. Fixes 0021263		Affected Issues 0021263
	mod - core/http_api.php		Diff File
MantisBT: master-1.3.x c13b3253 2016-08-25 19:19 vboctor Committer: dregad Details Diff	Add EVENT_CORE_HEADERS event Called before core emits headers enabling plugins to emit their own headers or call APIs that shape the value of headers emitted by core like Content-Security-Policy. Fixes 0021263		Affected Issues 0021263
	mod - core.php		Diff File
	mod - core/events_inc.php		Diff File
	mod - docbook/Developers_Guide/en-US/Events_Reference.xml		Diff File
	mod - plugins/Gravatar/Gravatar.php		Diff File
MantisBT: master-1.3.x b3511d2f 2016-08-27 13:01 dregad Details Diff	Fix weakened CSP by Gravatar plugin Merge vboctor's branch 'issue_21263_csp_headers_13x' Fixes 0021263		Affected Issues 0021263
	mod - core.php		Diff File
	mod - core/events_inc.php		Diff File
	mod - core/http_api.php		Diff File
	mod - docbook/Developers_Guide/en-US/Events_Reference.xml		Diff File
	mod - plugins/Gravatar/Gravatar.php		Diff File