|
|
@elandais, thanks for helping in enhancing MantisBT security.
Please set View Status to private when reporting security related issues.
http://www.mantisbt.org/wiki/doku.php/mantisbt:handling_security_problems |
|
|
|
This issue is present since 1.0.0 (MantisBT master bf18ac3d) |
|
|
|
This issue is present since 1.0.0 (MantisBT master bf18ac3d)
Actually taking back what I just said - this was in fact introduced in MantisBT master 46fddbcb (2.1.0) when that line which guaranteed that the variable could only contain controlled text, was removed as part of refactoring the filter API.
Fixing the XSS is quite straightforward (adding a string_attribute() call prior to displaying $f_view_type), but before I do that, @cproensa I would appreciate your feedback, maybe outputting $t_filter['_view_type'] is the better approach ? |
|
|
|
@dregad
yes, using $t_filter['_view_type'] it's the right thing, i think |
|
|
|
Thanks for the feedback @cproensa. Patch is attached.
0001-Fix-XSS-in-view_filters_page.php.patch (1,084 bytes)
From f8674d34d36aff25e0ab050e5114170255e40fd3 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Fri, 10 Mar 2017 00:24:51 +0100
Subject: [PATCH] Fix XSS in view_filters_page.php
The value of the view_type parameter was not sanitized before being
displayed as a hidden input.
This vulnerability was reported by Etienne Landais.
Fixes #22497
---
view_filters_page.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/view_filters_page.php b/view_filters_page.php
index bccf4b0..5d80768 100644
--- a/view_filters_page.php
+++ b/view_filters_page.php
@@ -105,7 +105,7 @@ $t_filter = filter_ensure_valid_filter( $t_filter );
<?php # CSRF protection not required here - form does not result in modifications ?>
<input type="hidden" name="type" value="1" />
- <input type="hidden" name="view_type" value="<?php echo $f_view_type; ?>" />
+ <input type="hidden" name="view_type" value="<?php echo $t_filter['_view_type']; ?>" />
<?php
if( $f_for_screen == false ) {
print '<input type="hidden" name="print" value="1" />';
--
1.9.1
|
|
|
|
CVE Request 304594 for CVE ID Request sent |
|
