0005959: Cross Site Scripting Vulnerabilty in the mantis/view_all_set.php Script - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0005959	mantisbt	security	public	2005-07-18 01:30	2006-10-09 11:55

Reporter	joxeanpiti	Assigned To	thraxisp
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.0.0a3
Fixed in Version	1.0.0rc1

Summary	0005959: Cross Site Scripting Vulnerabilty in the mantis/view_all_set.php Script
Description	The Script <mantis_dir>/view_all_set.php is vulnerable to Cross Site Scripting attacks. The paramater dir is not correctly clean when generating the response output.
Additional Information	To try the vulnerability login to http://bugs.mantisbt.org and navigate to this url: http://bugs.mantisbt.org/view_all_set.php?sort=category&dir=ASC"><script>alert(document.cookie)</script>&type=2
Tags	No tags attached.
Attached Files	0005959.patch (1,217 bytes) --- filter_api.orig 2005-07-18 17:07:03.000000000 +0200 +++ filter_api.php 2005-07-18 17:06:15.000000000 +0200 @@ -753,7 +753,7 @@ ?> <br /> - <form method="post" name="filters" action="<?php PRINT $t_action; ?>"> + <form method="post" name="filters" action="<?php PRINT htmlentities($t_action); ?>"> <input type="hidden" name="type" value="5" /> <?php if ( $p_for_screen == false ) { @@ -761,10 +761,10 @@ PRINT '<input type="hidden" name="offset" value="0" />'; } ?> - <input type="hidden" name="sort" value="<?php PRINT $t_sort ?>" /> - <input type="hidden" name="dir" value="<?php PRINT $t_dir ?>" /> - <input type="hidden" name="page_number" value="<?php PRINT $p_page_number ?>" /> - <input type="hidden" name="view_type" value="<?php PRINT $t_view_type ?>" /> + <input type="hidden" name="sort" value="<?php PRINT htmlentities($t_sort) ?>" /> + <input type="hidden" name="dir" value="<?php PRINT htmlentities($t_dir) ?>" /> + <input type="hidden" name="page_number" value="<?php PRINT htmlentities($p_page_number) ?>" /> + <input type="hidden" name="view_type" value="<?php PRINT htmlentities($t_view_type) ?>" /> <table class="width100" cellspacing="1"> <?php 0005959.patch (1,217 bytes)

joxeanpiti 2005-07-18 10:55 reporter ~0010856	I have been attached a patch for this issue.

thraxisp 2005-07-18 15:00 reporter ~0010862	Fixed in CVS. Validate and discard improperly constructed sort criteria. core/filter_api.php -> 1.118 Note that this could affect other places where the error handler is invoked for a string or configuration constructed from input values.

View Issue Details

Activities