MantisBT: master 11ab3d6c

Diff Back to Repository
Author Committer Branch Timestamp Parent
dregad dregad master 2016-05-27 01:39 master ecd12610
Affected Issues  0020956: CVE-2016-5364: Reflected XSS inside manage_custom_field_edit_page.php
 0021090: CVE-2016-5364: Reflected XSS inside manage_custom_field_edit_page.php
Changeset

Fix XSS in custom fields management

Kacper Szurek (http://security.szurek.pl/) discovered an XSS
vulnerability in Custom fields management pages, caused by unescaped
output of 'return URL' GPC parameter. His report describes two ways to
exploit this issue:

  1. using 'accesskey' inside hidden input field (see [1]) reflects XSS to
    the administrator in manage_custom_field_edit_page.php when the
    keyboard shortcut is actioned
  2. using 'javascript:' URI scheme executes the code when the user clicks
    the [Proceed] link on manage_custom_field_update.php after updating
    a custom field

This commit fixes both attack vectors:

  • properly escape the return URL prior to printing it on the hidden form
    field
  • let html_operation_successful() sanitize the URL before displaying
    it, just like html_meta_redirect() does. In this case, if the
    string contains an URI scheme, it will be replaced by 'index.php'

[1] http://blog.portswigger.net/2015/11/xss-in-hidden-input-fields.html

Fixes 0020956
mod - core/html_api.php Diff File
mod - manage_custom_field_edit_page.php Diff File