View Issue Details

IDProjectCategoryView StatusLast Update
0022266mantisbtsecuritypublic2017-03-22 04:17
ReportervboctorAssigned Tovboctor 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version2.0.0-beta.1 
Target Version2.1.1Fixed in Version2.1.1 
Summary0022266: CVE-2017-7222: Sanitize window title
Description

The config option 'window_title' can include <script>alert(1);</script> or <img> tags and it will be rendered successfully. This is mitigated via:

  • CSP - doesn't make the code executed, but image would work.
  • window_title can only be set by trusted users.

Having said that, we should run this through sanitization anyway.

I was able to reproduce this on master, but haven't tried on 1.3.x.

TagsNo tags attached.

Relationships

related to 0022098 assignedsyncguru Setting bottom_include_page does not include specified file 

Activities

vboctor

vboctor

2017-02-12 18:59

manager   ~0055652

PR: https://github.com/mantisbt/mantisbt/pull/1030

dregad

dregad

2017-03-21 20:32

developer   ~0056152

Last edited: 2017-03-21 20:34

View 2 revisions

Just noticed this... being a security issue, we need to get a CVE ID assigned. I'll take care of it.

haven't tried on 1.3.x.

It can't affect 1.3.x, since layout API was introduced in 2.x as part of modern UI.

Issue was introduced in release 2.0.0-beta.1 MantisBT master 6a32ba7f

vboctor

vboctor

2017-03-21 21:54

manager   ~0056153

@dregad Since this is not exploitable because of CSP, is it still considered a security issue? If we still should create CVE, we should make it clear in the description that this would have no effect if CSP is enabled.

dregad

dregad

2017-03-22 04:17

developer   ~0056157

is it still considered a security issue

Yes. Not only can CSP be disabled, but also some older browsers do not support it.

we should make it clear in the description that this would have no effect if CSP is enabled

Absolutely. I always do.
In this specific case: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7222

Related Changesets

MantisBT: master-2.1 a85b0b96

2017-02-12 18:58:25

vboctor

Details Diff
Sanitize window title

The window title is not sanitized. That is not an issue when CSP is enable (default),
but if disabled, it can execute javascript that is set by a user who has access
to set configuration via Manage - Manage Configuration - Configuration Report page.

Fixes 0022266
mod - core/layout_api.php Diff File

Issue History

Date Modified Username Field Change
2017-01-26 21:49 vboctor New Issue
2017-01-26 21:50 vboctor Relationship added related to 0022098
2017-02-12 18:59 vboctor Assigned To => vboctor
2017-02-12 18:59 vboctor Status new => assigned
2017-02-12 18:59 vboctor Note Added: 0055652
2017-02-16 23:27 vboctor Changeset attached => MantisBT master-2.1 a85b0b96
2017-02-16 23:27 vboctor Status assigned => resolved
2017-02-16 23:27 vboctor Resolution open => fixed
2017-02-17 01:39 atrol Fixed in Version => 2.1.1
2017-02-17 01:39 atrol Target Version => 2.1.1
2017-02-26 21:17 vboctor Status resolved => closed
2017-02-26 23:42 vboctor View Status private => public
2017-03-21 20:32 dregad Note Added: 0056152
2017-03-21 20:32 dregad Product Version 2.0.0 => 2.0.0-beta.1
2017-03-21 20:34 dregad Note Edited: 0056152 View Revisions
2017-03-21 21:54 vboctor Note Added: 0056153
2017-03-22 04:17 dregad Summary Sanitize window title => CVE-2017-7222: Sanitize window title
2017-03-22 04:17 dregad Note Added: 0056157