View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0015373mantisbtsecuritypublic2013-01-16 05:032014-09-23 18:05
ReporterHauntIT Assigned Todhx  
PriorityimmediateSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.2.12 
Target Version1.2.13Fixed in Version1.2.13 
Summary0015373: CVE-2013-0197 XSS vulnerability with match_type filter
Description

HauntIT blog reported a persistent XSS vulnerability in MantisBT 1.2.12, which exists for admin user, but possibly for other users and in other parts of the application as well.

http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html

Additional information requested from blog author.

TagsNo tags attached.
Attached Files
4damien01.png (64,676 bytes)   
4damien01.png (64,676 bytes)   
4damien02.png (75,493 bytes)   
4damien02.png (75,493 bytes)   
master-1.2.x_0001-Fix-15373-match_type-XSS-vulnerability.patch (1,532 bytes)    
From bbc6b4f3ea8d0a53ae8c44e4218df6675a4e5fdf Mon Sep 17 00:00:00 2001
From: David Hicks <d@hx.id.au>
Date: Fri, 18 Jan 2013 21:43:21 +1100
Subject: [PATCH] Fix #15373: match_type XSS vulnerability

Jakub Galczyk discovered[1] a cross site scripting (XSS)
vulnerability in MantisBT 1.2.12 and earlier versions that allows a
malicious person to trick the browser of a target user into executing
arbitrary JavaScript via the URL: search.php?match_type="><script...

This vulnerability is particularly wide reaching due to search.php being
usable by anonymous users on public facing installations of MantisBT (no
user account required).

The value of the "match_type" filter parameter is now correctly
sanitised prior to use in the HTML output displaying the current filter
settings.

[1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html
---
 core/filter_api.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/filter_api.php b/core/filter_api.php
index 2286ff0..ce2ca4f 100644
--- a/core/filter_api.php
+++ b/core/filter_api.php
@@ -3400,7 +3400,7 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e
 					echo lang_get ('filter_match_all');
 				}
 			?>
-			<input type="hidden" name="match_type" value="<?php echo $t_filter[FILTER_PROPERTY_MATCH_TYPE]?>"/>
+			<input type="hidden" name="match_type" value="<?php echo string_attribute( $t_filter[FILTER_PROPERTY_MATCH_TYPE] )?>"/>
 			</td>
 			<td colspan="6">&#160;</td>
 		</tr>
-- 
1.8.1.1
master-1.2.x_0001-Fix-15373-match_type-XSS-vulnerability.patch (1,532 bytes)   
master_0001-Fix-15373-match_type-XSS-vulnerability.patch (1,534 bytes)    
From f5ac454eb63fde102347a021a2af0c535033d572 Mon Sep 17 00:00:00 2001
From: David Hicks <d@hx.id.au>
Date: Fri, 18 Jan 2013 21:43:21 +1100
Subject: [PATCH] Fix #15373: match_type XSS vulnerability

Jakub Galczyk discovered[1] a cross site scripting (XSS)
vulnerability in MantisBT 1.2.12 and earlier versions that allows a
malicious person to trick the browser of a target user into executing
arbitrary JavaScript via the URL: search.php?match_type="><script...

This vulnerability is particularly wide reaching due to search.php being
usable by anonymous users on public facing installations of MantisBT (no
user account required).

The value of the "match_type" filter parameter is now correctly
sanitised prior to use in the HTML output displaying the current filter
settings.

[1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html
---
 core/filter_api.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/filter_api.php b/core/filter_api.php
index 37f6d04..e6b7c99 100644
--- a/core/filter_api.php
+++ b/core/filter_api.php
@@ -3395,7 +3395,7 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e
 					echo lang_get ('filter_match_all');
 				}
 			?>
-			<input type="hidden" name="match_type" value="<?php echo $t_filter[FILTER_PROPERTY_MATCH_TYPE]?>"/>
+			<input type="hidden" name="match_type" value="<?php echo string_attribute( $t_filter[FILTER_PROPERTY_MATCH_TYPE] )?>"/>
 			</td>
 			<td colspan="6">&#160;</td>
 		</tr>		
-- 
1.8.1.1
master_0001-Fix-15373-match_type-XSS-vulnerability.patch (1,534 bytes)   

Relationships

related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 
related to 0015388 closeddregad Update the match_type parameter to be XSS-safe by itself 

Activities

HauntIT

HauntIT

2013-01-18 05:00

reporter   ~0034813

Hi, Damien asked me to write here more details about this vulnerability, so below is a short description of how to reproduce this bug.

Another good 'point of view' is to check 2 screens I've uploaded.

match_type parameter is vulnerable to persistent XSS.
Code used as a payload was alert() function from JavaScript.

Feel free to ask if you need any thing more with this case. :)

Cheers o/
dhx

dhx

2013-01-18 05:39

reporter   ~0034814

Confirmed with live URL:
http://www.mantisbt.org/bugs/search.php?sticky_issues=1&sortby=last_updated&dir=DESC&hide_status_id=90&match_type="><script>alert(1)</script>
dregad

dregad

2013-01-18 05:42

developer   ~0034815

Last edited: 2013-01-18 05:44

@rombert, the match_type parameter [1] was introduced as part of your commit 5b491868 (or filter logic).

Is there any particular reason for using gpc_get_string here ? Since the filter type can only be a preset list of integer values as defined by constants (FILTERMATCH*), I would say gpc_get_int would be more appropriate, no ?

Let me know your thoughts.

[1] https://github.com/mantisbt/mantisbt/blame/master-1.2.x/view_all_set.php#L205
dhx

dhx

2013-01-18 06:39

reporter   ~0034816

Thanks for reporting this issue Jakub. Patched with a quick fix for now. Refer to Damien's comment about why gpc_get_string is being called for more detailed information about a better solution.

A CVE ID has been requested from the oss-security mailing list and we should hopefully have a mantisbt-1.2.13 build rolled out very soon.
rombert

rombert

2013-01-18 15:31

reporter   ~0034818

(In reply to comment 0015373:0034815)

@rombert, the match_type parameter [1] was introduced as part of your commit
5b491868 (or filter logic).

Is there any particular reason for using gpc_get_string here ? Since the filter
type can only be a preset list of integer values as defined by constants
(FILTERMATCH*), I would say gpc_get_int would be more appropriate, no ?

Let me know your thoughts.

[1]
https://github.com/mantisbt/mantisbt/blame/master-1.2.x/view_all_set.php#L205

Damien, I've updated the code to use gpc_get_int and the XSS vulnerability is gone.

All - let me know if the fix is proper, or I'll rework it if needed. Thanks for the rapid reaction and sorry for introducing the vulnerability.
dhx

dhx

2013-01-18 18:26

reporter   ~0034822

CVE-2013-0197 was assigned to this vulnerability on the oss-security mailing list.
dregad

dregad

2013-01-18 19:19

developer   ~0034823

@dhx

It would appear that my e-mail from this morning to the oss-security list has still not been posted - not sure if it's awaiting moderation or if it got lost somewhere in Internet Limbo (tm)

Just in case, you might want to inform them that CVE-2013-0197 only applies to 1.2.12, and not to earlier versions.
dregad

dregad

2013-01-21 04:05

developer   ~0034840

Follow-up fix based on 0015373:0034815 can be found in 0015388.
grangeway

grangeway

2013-04-05 17:56

reporter   ~0036124

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master f5ac454e

2013-01-18 05:43

dhx


Details Diff		 Fix 0015373: match_type XSS vulnerability

Jakub Galczyk discovered[1] a cross site scripting (XSS)
vulnerability in MantisBT 1.2.12 and earlier versions that allows a
malicious person to trick the browser of a target user into executing
arbitrary JavaScript via the URL: search.php?match_type="><script...

This vulnerability is particularly wide reaching due to search.php being
usable by anonymous users on public facing installations of MantisBT (no
user account required).

The value of the "match_type" filter parameter is now correctly
sanitised prior to use in the HTML output displaying the current filter
settings.

[1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html		 Affected Issues
0015373
mod - core/filter_api.php Diff File

MantisBT: master-1.2.x bbc6b4f3

2013-01-18 05:43

dhx


Details Diff		 Fix 0015373: match_type XSS vulnerability

Jakub Galczyk discovered[1] a cross site scripting (XSS)
vulnerability in MantisBT 1.2.12 and earlier versions that allows a
malicious person to trick the browser of a target user into executing
arbitrary JavaScript via the URL: search.php?match_type="><script...

This vulnerability is particularly wide reaching due to search.php being
usable by anonymous users on public facing installations of MantisBT (no
user account required).

The value of the "match_type" filter parameter is now correctly
sanitised prior to use in the HTML output displaying the current filter
settings.

[1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html		 Affected Issues
0015373
mod - core/filter_api.php Diff File

MantisBT: master-1.2.x 610da6ec

2013-01-18 15:22

rombert


Details Diff		 filter api: always treat FILTER_PROPERTY_MATCH_TYPE as an int value

Based on @dregad's comments, this follows up on @dhx's fix.

Fixes 0015373: XSS vulnerability 		Affected Issues
0015373
mod - core/filter_api.php Diff File
mod - view_all_set.php Diff File

MantisBT: master 45f9e746

2013-01-18 15:22

rombert


Details Diff		 filter api: always treat FILTER_PROPERTY_MATCH_TYPE as an int value

Based on @dregad's comments, this follows up on @dhx's fix.

Fixes 0015373: XSS vulnerability		 Affected Issues
0015373
mod - core/filter_api.php Diff File
mod - view_all_set.php Diff File