View Issue Details

IDProjectCategoryView StatusLast Update
0022486mantisbtsecuritypublic2017-03-21 20:06
ReporterelandaisAssigned Todregad 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.0-beta.3 
Target Version1.3.7Fixed in Version1.3.7 
Summary0022486: CVE-2017-6797: XSS in bug_change_status_page.php
Description

Cross-Site Scripting Vulnerability in 'bug_change_status_page.php' page.

The /bug_change_status_page.php page 'action_type' parameter in MantisBT is vulnerable to a cross-site scripting vulnerability when Javascript is supplied via GET or POST request.

The exploitation example below uses the "alert()" JavaScript function to display "XSS" word.

Steps To Reproduce

REQUEST :

GET /bug_change_status_page.php?bug_change_status_page_token=20170227zM42Eo2wSNnfOOCxNSwz4Gv0xbkGWu8E&new_status=90&change_type=closev2lx8%22%3E%3Cscript%3Ealert%28%22Test%20SLCC%22%29%3C%2fscript%3Eyrcxai8ja1g&id=3524

Parameters :
bug_change_status_page_token : 20170227zM42Eo2wSNnfOOCxNSwz4Gv0xbkGWu8E
change_type : closev2lx8"><script>alert("Test SLCC")</script>yrcxai8ja1g
id : 3524
new_status : 90

TagsNo tags attached.

Relationships

parent of 0022561 closeddregad CVE-2017-6797: XSS in bug_change_status_page.php 
parent of 0022563 closeddregad CVE-2017-6797: XSS in bug_change_status_page.php 

Activities

dregad

dregad

2017-03-07 06:15

developer   ~0055944

Thanks for your bug report. We will look into this ASAP.

  • Did you already request a CVE id for the vulnerability ? If not, we can take care of it.
  • How would you like to be credited for the finding ?
dregad

dregad

2017-03-07 06:26

developer   ~0055946

I confirm the vulnerability, but only when CSP is disabled.

dregad

dregad

2017-03-07 06:41

developer   ~0055947

@elandais Please confirm that the attached patch fully addresses the issue you reported.



0001-Fix-XSS-in-bug_change_status_page.php.patch (897 bytes)
From 658f32443b4aaa1c3285eaf970d0416ca7a020a5 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Tue, 7 Mar 2017 12:34:16 +0100
Subject: [PATCH] Fix XSS in bug_change_status_page.php

The value of the change_type parameter was not encoded before being
displayed as a hidden input.

This vulnerability was reported by Etienne Landais.

Fixes #22486
---
 bug_change_status_page.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bug_change_status_page.php b/bug_change_status_page.php
index 4e1c6fc..bc23ce6 100644
--- a/bug_change_status_page.php
+++ b/bug_change_status_page.php
@@ -385,7 +385,7 @@ layout_page_begin();
 
 </tbody>
 </table>
-<input type="hidden" name="action_type" value="<?php echo $f_change_type; ?>" />
+<input type="hidden" name="action_type" value="<?php echo string_attribute( $f_change_type ); ?>" />
 
 </div>
 </div>
-- 
1.9.1

elandais

elandais

2017-03-07 08:02

reporter   ~0055954

I confirm that the attached parch fully adresses the issue I reported.

Thanks

dregad

dregad

2017-03-07 09:05

developer   ~0055955

@elandais you did not answer my questions in 0022486:0055944

elandais

elandais

2017-03-08 04:14

reporter   ~0055977

  • I did not request a CVE for the vulnerability. If you can take care of it, it would be great. thanks
  • I'm new here, i don't know how to answer to this question
dregad

dregad

2017-03-08 05:42

developer   ~0055983

Last edited: 2017-03-08 08:12

View 2 revisions

How would you like to be credited for the finding ?

I'm new here, i don't know how to answer to this question

Security researchers and firms generally like to be credited with their findings in the CVE report, and often request a specific format for such credit, with an e-mail address, web site, reference ID, etc (see example)

elandais

elandais

2017-03-08 08:04

reporter   ~0055989

it's ok, we don't need to be credited for this discovery.

Thanks

dregad

dregad

2017-03-08 09:39

developer   ~0055996

Git blame indicates that this bug was introduced in MantisBT master f591e7b6 - 1.3.0-beta.3 so targeting 1.3.7

dregad

dregad

2017-03-09 18:51

developer   ~0056023

CVE Request 304568 for CVE ID Request sent

Related Changesets

MantisBT: master-1.3.x a2d90eca

2017-03-07 06:34:16

dregad

Details Diff
Fix XSS in bug_change_status_page.php

The value of the change_type parameter was not encoded before being
displayed as a hidden input.

This vulnerability was reported by Etienne Landais.

Fixes 0022486
mod - bug_change_status_page.php Diff File

MantisBT: master-2.2 c272c3f6

2017-03-07 06:34:16

dregad

Details Diff
Fix XSS in bug_change_status_page.php

The value of the change_type parameter was not encoded before being
displayed as a hidden input.

This vulnerability was reported by Etienne Landais.

Fixes 0022486
mod - bug_change_status_page.php Diff File

MantisBT: master-2.1 55b5b4f3

2017-03-07 06:34:16

dregad

Details Diff
Fix XSS in bug_change_status_page.php

The value of the change_type parameter was not encoded before being
displayed as a hidden input.

This vulnerability was reported by Etienne Landais.

Fixes 0022486
mod - bug_change_status_page.php Diff File

Issue History

Date Modified Username Field Change
2017-03-07 05:49 elandais New Issue
2017-03-07 05:53 atrol View Status public => private
2017-03-07 06:15 dregad Status new => acknowledged
2017-03-07 06:15 dregad Note Added: 0055944
2017-03-07 06:15 dregad Target Version => 2.2.1
2017-03-07 06:26 dregad Assigned To => dregad
2017-03-07 06:26 dregad Status acknowledged => confirmed
2017-03-07 06:26 dregad Note Added: 0055946
2017-03-07 06:40 dregad Status confirmed => assigned
2017-03-07 06:41 dregad File Added: 0001-Fix-XSS-in-bug_change_status_page.php.patch
2017-03-07 06:41 dregad Note Added: 0055947
2017-03-07 08:02 elandais Note Added: 0055954
2017-03-07 09:05 dregad Note Added: 0055955
2017-03-08 04:14 elandais Note Added: 0055977
2017-03-08 05:42 dregad Note Added: 0055983
2017-03-08 08:04 elandais Note Added: 0055989
2017-03-08 08:12 dregad Note Edited: 0055983 View Revisions
2017-03-08 09:39 dregad Product Version 2.2.0 => 2.0.0-beta.3
2017-03-08 09:39 dregad Target Version 2.2.1 => 1.3.7
2017-03-08 09:39 dregad Note Added: 0055996
2017-03-08 09:40 dregad Product Version 2.0.0-beta.3 => 1.3.0-beta.3
2017-03-08 09:44 dregad Summary Cross-Site Scripting Vulnerabilities => XSS in bug_change_status_page.php
2017-03-09 18:32 dregad Changeset attached => MantisBT master-1.3.x a2d90eca
2017-03-09 18:32 dregad Status assigned => resolved
2017-03-09 18:32 dregad Resolution open => fixed
2017-03-09 18:32 dregad Fixed in Version => 1.3.7
2017-03-09 18:32 dregad Changeset attached => MantisBT master-2.2 c272c3f6
2017-03-09 18:51 dregad Note Added: 0056023
2017-03-09 18:51 dregad View Status private => public
2017-03-09 19:34 dregad Summary XSS in bug_change_status_page.php => CVE-2017-6797: XSS in bug_change_status_page.php
2017-03-12 19:23 vboctor Status resolved => closed
2017-03-20 10:59 dregad Changeset attached => MantisBT master-2.1 55b5b4f3
2017-03-21 19:51 dregad Issue cloned: 0022561
2017-03-21 19:51 dregad Relationship added parent of 0022561
2017-03-21 19:53 dregad Severity minor => major
2017-03-21 20:06 dregad Relationship added parent of 0022563