View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0022486mantisbtsecuritypublic2017-03-07 05:492017-03-21 20:06
Reporterelandais Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.0-beta.3 
Target Version1.3.7Fixed in Version1.3.7 
Summary0022486: CVE-2017-6797: XSS in bug_change_status_page.php
Description

Cross-Site Scripting Vulnerability in 'bug_change_status_page.php' page.

The /bug_change_status_page.php page 'action_type' parameter in MantisBT is vulnerable to a cross-site scripting vulnerability when Javascript is supplied via GET or POST request.

The exploitation example below uses the "alert()" JavaScript function to display "XSS" word.

Steps To Reproduce

REQUEST :

GET /bug_change_status_page.php?bug_change_status_page_token=20170227zM42Eo2wSNnfOOCxNSwz4Gv0xbkGWu8E&new_status=90&change_type=closev2lx8%22%3E%3Cscript%3Ealert%28%22Test%20SLCC%22%29%3C%2fscript%3Eyrcxai8ja1g&id=3524

Parameters :
bug_change_status_page_token : 20170227zM42Eo2wSNnfOOCxNSwz4Gv0xbkGWu8E
change_type : closev2lx8"><script>alert("Test SLCC")</script>yrcxai8ja1g
id : 3524
new_status : 90

TagsNo tags attached.
Attached Files

Relationships

parent of 0022561 closeddregad CVE-2017-6797: XSS in bug_change_status_page.php 
parent of 0022563 closeddregad CVE-2017-6797: XSS in bug_change_status_page.php 

Activities

dregad

dregad

2017-03-07 06:15

developer   ~0055944

Thanks for your bug report. We will look into this ASAP.

  • Did you already request a CVE id for the vulnerability ? If not, we can take care of it.
  • How would you like to be credited for the finding ?
dregad

dregad

2017-03-07 06:26

developer   ~0055946

I confirm the vulnerability, but only when CSP is disabled.
dregad

dregad

2017-03-07 06:41

developer   ~0055947

@elandais Please confirm that the attached patch fully addresses the issue you reported.

0001-Fix-XSS-in-bug_change_status_page.php.patch (897 bytes)    
From 658f32443b4aaa1c3285eaf970d0416ca7a020a5 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Tue, 7 Mar 2017 12:34:16 +0100
Subject: [PATCH] Fix XSS in bug_change_status_page.php

The value of the change_type parameter was not encoded before being
displayed as a hidden input.

This vulnerability was reported by Etienne Landais.

Fixes #22486
---
 bug_change_status_page.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bug_change_status_page.php b/bug_change_status_page.php
index 4e1c6fc..bc23ce6 100644
--- a/bug_change_status_page.php
+++ b/bug_change_status_page.php
@@ -385,7 +385,7 @@ layout_page_begin();
 
 </tbody>
 </table>
-<input type="hidden" name="action_type" value="<?php echo $f_change_type; ?>" />
+<input type="hidden" name="action_type" value="<?php echo string_attribute( $f_change_type ); ?>" />
 
 </div>
 </div>
-- 
1.9.1
0001-Fix-XSS-in-bug_change_status_page.php.patch (897 bytes)   
elandais

elandais

2017-03-07 08:02

reporter   ~0055954

I confirm that the attached parch fully adresses the issue I reported.

Thanks
dregad

dregad

2017-03-07 09:05

developer   ~0055955

@elandais you did not answer my questions in 0022486:0055944
elandais

elandais

2017-03-08 04:14

reporter   ~0055977

  • I did not request a CVE for the vulnerability. If you can take care of it, it would be great. thanks
  • I'm new here, i don't know how to answer to this question
dregad

dregad

2017-03-08 05:42

developer   ~0055983

Last edited: 2017-03-08 08:12

How would you like to be credited for the finding ?

I'm new here, i don't know how to answer to this question

Security researchers and firms generally like to be credited with their findings in the CVE report, and often request a specific format for such credit, with an e-mail address, web site, reference ID, etc (see example)
elandais

elandais

2017-03-08 08:04

reporter   ~0055989

it's ok, we don't need to be credited for this discovery.

Thanks
dregad

dregad

2017-03-08 09:39

developer   ~0055996

Git blame indicates that this bug was introduced in MantisBT master f591e7b6 - 1.3.0-beta.3 so targeting 1.3.7
dregad

dregad

2017-03-09 18:51

developer   ~0056023

CVE Request 304568 for CVE ID Request sent

Related Changesets

MantisBT: master-1.3.x a2d90eca

2017-03-07 01:34

dregad


Details Diff		 Fix XSS in bug_change_status_page.php

The value of the change_type parameter was not encoded before being
displayed as a hidden input.

This vulnerability was reported by Etienne Landais.

Fixes 0022486		 Affected Issues
0022486
mod - bug_change_status_page.php Diff File

MantisBT: master-2.2 c272c3f6

2017-03-07 01:34

dregad


Details Diff		 Fix XSS in bug_change_status_page.php

The value of the change_type parameter was not encoded before being
displayed as a hidden input.

This vulnerability was reported by Etienne Landais.

Fixes 0022486		 Affected Issues
0022486
mod - bug_change_status_page.php Diff File

MantisBT: master-2.1 55b5b4f3

2017-03-07 01:34

dregad


Details Diff		 Fix XSS in bug_change_status_page.php

The value of the change_type parameter was not encoded before being
displayed as a hidden input.

This vulnerability was reported by Etienne Landais.

Fixes 0022486		 Affected Issues
0022486
mod - bug_change_status_page.php Diff File