View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0015373 | mantisbt | security | public | 2013-01-16 05:03 | 2014-09-23 18:05 |
Reporter | HauntIT | Assigned To | dhx | ||
Priority | immediate | Severity | major | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.12 | ||||
Target Version | 1.2.13 | Fixed in Version | 1.2.13 | ||
Summary | 0015373: CVE-2013-0197 XSS vulnerability with match_type filter | ||||
Description | HauntIT blog reported a persistent XSS vulnerability in MantisBT 1.2.12, which exists for admin user, but possibly for other users and in other parts of the application as well. http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html Additional information requested from blog author. | ||||
Tags | No tags attached. | ||||
Attached Files | master-1.2.x_0001-Fix-15373-match_type-XSS-vulnerability.patch (1,532 bytes)
From bbc6b4f3ea8d0a53ae8c44e4218df6675a4e5fdf Mon Sep 17 00:00:00 2001 From: David Hicks <d@hx.id.au> Date: Fri, 18 Jan 2013 21:43:21 +1100 Subject: [PATCH] Fix #15373: match_type XSS vulnerability Jakub Galczyk discovered[1] a cross site scripting (XSS) vulnerability in MantisBT 1.2.12 and earlier versions that allows a malicious person to trick the browser of a target user into executing arbitrary JavaScript via the URL: search.php?match_type="><script... This vulnerability is particularly wide reaching due to search.php being usable by anonymous users on public facing installations of MantisBT (no user account required). The value of the "match_type" filter parameter is now correctly sanitised prior to use in the HTML output displaying the current filter settings. [1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html --- core/filter_api.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/filter_api.php b/core/filter_api.php index 2286ff0..ce2ca4f 100644 --- a/core/filter_api.php +++ b/core/filter_api.php @@ -3400,7 +3400,7 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e echo lang_get ('filter_match_all'); } ?> - <input type="hidden" name="match_type" value="<?php echo $t_filter[FILTER_PROPERTY_MATCH_TYPE]?>"/> + <input type="hidden" name="match_type" value="<?php echo string_attribute( $t_filter[FILTER_PROPERTY_MATCH_TYPE] )?>"/> </td> <td colspan="6"> </td> </tr> -- 1.8.1.1 master_0001-Fix-15373-match_type-XSS-vulnerability.patch (1,534 bytes)
From f5ac454eb63fde102347a021a2af0c535033d572 Mon Sep 17 00:00:00 2001 From: David Hicks <d@hx.id.au> Date: Fri, 18 Jan 2013 21:43:21 +1100 Subject: [PATCH] Fix #15373: match_type XSS vulnerability Jakub Galczyk discovered[1] a cross site scripting (XSS) vulnerability in MantisBT 1.2.12 and earlier versions that allows a malicious person to trick the browser of a target user into executing arbitrary JavaScript via the URL: search.php?match_type="><script... This vulnerability is particularly wide reaching due to search.php being usable by anonymous users on public facing installations of MantisBT (no user account required). The value of the "match_type" filter parameter is now correctly sanitised prior to use in the HTML output displaying the current filter settings. [1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html --- core/filter_api.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/filter_api.php b/core/filter_api.php index 37f6d04..e6b7c99 100644 --- a/core/filter_api.php +++ b/core/filter_api.php @@ -3395,7 +3395,7 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e echo lang_get ('filter_match_all'); } ?> - <input type="hidden" name="match_type" value="<?php echo $t_filter[FILTER_PROPERTY_MATCH_TYPE]?>"/> + <input type="hidden" name="match_type" value="<?php echo string_attribute( $t_filter[FILTER_PROPERTY_MATCH_TYPE] )?>"/> </td> <td colspan="6"> </td> </tr> -- 1.8.1.1 | ||||
Hi, Damien asked me to write here more details about this vulnerability, so below is a short description of how to reproduce this bug. Another good 'point of view' is to check 2 screens I've uploaded. match_type parameter is vulnerable to persistent XSS. Feel free to ask if you need any thing more with this case. :) Cheers o/ |
|
Confirmed with live URL: |
|
@rombert, the match_type parameter [1] was introduced as part of your commit 5b491868 (or filter logic). Is there any particular reason for using gpc_get_string here ? Since the filter type can only be a preset list of integer values as defined by constants (FILTERMATCH*), I would say gpc_get_int would be more appropriate, no ? Let me know your thoughts. [1] https://github.com/mantisbt/mantisbt/blame/master-1.2.x/view_all_set.php#L205 |
|
Thanks for reporting this issue Jakub. Patched with a quick fix for now. Refer to Damien's comment about why gpc_get_string is being called for more detailed information about a better solution. A CVE ID has been requested from the oss-security mailing list and we should hopefully have a mantisbt-1.2.13 build rolled out very soon. |
|
(In reply to comment 0015373:0034815)
Damien, I've updated the code to use gpc_get_int and the XSS vulnerability is gone. All - let me know if the fix is proper, or I'll rework it if needed. Thanks for the rapid reaction and sorry for introducing the vulnerability. |
|
CVE-2013-0197 was assigned to this vulnerability on the oss-security mailing list. |
|
It would appear that my e-mail from this morning to the oss-security list has still not been posted - not sure if it's awaiting moderation or if it got lost somewhere in Internet Limbo (tm) Just in case, you might want to inform them that CVE-2013-0197 only applies to 1.2.12, and not to earlier versions. |
|
Follow-up fix based on 0015373:0034815 can be found in 0015388. |
|
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|
MantisBT: master f5ac454e 2013-01-18 05:43 Details Diff |
Fix 0015373: match_type XSS vulnerability Jakub Galczyk discovered[1] a cross site scripting (XSS) vulnerability in MantisBT 1.2.12 and earlier versions that allows a malicious person to trick the browser of a target user into executing arbitrary JavaScript via the URL: search.php?match_type="><script... This vulnerability is particularly wide reaching due to search.php being usable by anonymous users on public facing installations of MantisBT (no user account required). The value of the "match_type" filter parameter is now correctly sanitised prior to use in the HTML output displaying the current filter settings. [1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html |
Affected Issues 0015373 |
|
mod - core/filter_api.php | Diff File | ||
MantisBT: master-1.2.x bbc6b4f3 2013-01-18 05:43 Details Diff |
Fix 0015373: match_type XSS vulnerability Jakub Galczyk discovered[1] a cross site scripting (XSS) vulnerability in MantisBT 1.2.12 and earlier versions that allows a malicious person to trick the browser of a target user into executing arbitrary JavaScript via the URL: search.php?match_type="><script... This vulnerability is particularly wide reaching due to search.php being usable by anonymous users on public facing installations of MantisBT (no user account required). The value of the "match_type" filter parameter is now correctly sanitised prior to use in the HTML output displaying the current filter settings. [1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html |
Affected Issues 0015373 |
|
mod - core/filter_api.php | Diff File | ||
MantisBT: master-1.2.x 610da6ec 2013-01-18 15:22 Details Diff |
filter api: always treat FILTER_PROPERTY_MATCH_TYPE as an int value Based on @dregad's comments, this follows up on @dhx's fix. Fixes 0015373: XSS vulnerability |
Affected Issues 0015373 |
|
mod - core/filter_api.php | Diff File | ||
mod - view_all_set.php | Diff File | ||
MantisBT: master 45f9e746 2013-01-18 15:22 Details Diff |
filter api: always treat FILTER_PROPERTY_MATCH_TYPE as an int value Based on @dregad's comments, this follows up on @dhx's fix. Fixes 0015373: XSS vulnerability |
Affected Issues 0015373 |
|
mod - core/filter_api.php | Diff File | ||
mod - view_all_set.php | Diff File |