View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0008679mantisbtsecuritypublic2007-12-19 08:212012-10-05 15:06
Reporterseiji Assigned Tovboctor  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
PlatformPHP 5.2.5OSGentoo Linux 
Product Version1.1.0rc3 
Target Version1.1.0Fixed in Version1.1.0 
Summary0008679: XSS Vulnerability in view.php , Attached Files
Description

There is a possibility that XSS occurs in "Attached Files" in view.php.

See attached file.

Steps To Reproduce
  1. create file on Linux.

    echo "111" >> "<h1>XSS"

  2. upload it.
  3. go to View issue and click the issue.
Additional Information

This is rare case.

TagsNo tags attached.
Attached Files
xss_before.png (9,068 bytes)   
xss_before.png (9,068 bytes)   
file_api.php.patch (586 bytes)    
Index: core/file_api.php
===================================================================
--- core/file_api.php	(リビジョン 4833)
+++ core/file_api.php	(作業コピー)
@@ -163,7 +163,7 @@
 			$row = $t_attachment_rows[$i];
 			extract( $row, EXTR_PREFIX_ALL, 'v' );
 
-			$t_file_display_name = file_get_display_name( $v_filename );
+			$t_file_display_name = string_html_specialchars( file_get_display_name( $v_filename ) );
 			$t_filesize		= number_format( $v_filesize );
 			$t_date_added	= date( config_get( 'normal_date_format' ), db_unixtimestamp( $v_date_added ) );
file_api.php.patch (586 bytes)   

Activities

vboctor

vboctor

2007-12-21 04:19

manager   ~0016494

The fix implement in Mantis 1.1.0 is to use the following line:

$t_file_display_name = string_display_line( file_get_display_name( $v_filename ) );

See the existing patch to see the context of the change.
giallu

giallu

2008-01-27 17:47

reporter   ~0016855

Security advisories:
http://secunia.com/advisories/28185/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6611