View Issue Details

IDProjectCategoryView StatusLast Update
0017297mantisbtsecuritypublic2014-12-05 18:33
ReportermutsAssigned Todregad 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.0a1 
Target Version1.2.18Fixed in Version1.2.18 
Summary0017297: CVE-2014-9272: XSS in string_insert_hrefs allows script execution
Description

Add a bugnote with this line for
PoC: &javascript://%E2%80%A8alert(document.domain)

The problem lies in
https://github.com/mantisbt/mantisbt/blob/master/core/string_api.php, the
function "string_insert_hrefs" doesn't validate the protocol, which is why
one can make this link (with some quirks) and execute javascript.

TagsNo tags attached.

Relationships

child of 0017362 closeddregad Multiple vulnerabilities in MantisBT 

Activities

muts

muts

2014-05-08 07:03

reporter   ~0040232

&javascript://%E2%80%A8alert(document.domain)

dregad

dregad

2014-11-27 19:13

developer   ~0041934

I'm thinking of restricting the list of "valid" URI schemes that get turned into anchor links using the following regex:

(?:https?|s?ftp|file|irc[6s]?|ssh|telnet|nntp|git|svn(?:+ssh)?|cvs):\/\/

Anything you believe should be added to that list ?

dregad

dregad

2014-12-01 02:28

developer   ~0041948

CVE request sent http://thread.gmane.org/gmane.comp.security.oss.general/14956

Related Changesets

MantisBT: master-1.2.x 05378e00

2014-11-27 19:15:28

dregad

Details Diff
Fix 0017297: XSS in string_insert_hrefs

The URL matching regex in the function did not validate the protocol,
allowing an attacker to use 'javascript://' to execute arbitrary code.

Issue was discovered by Mathias Karlsson (http://mathiaskarlsson.me)
and reported by Offensive Security (http://www.offensive-security.com/).
Affected Issues
0017297
mod - core/string_api.php Diff File

MantisBT: master 66c142dc

2014-11-27 19:15:28

dregad

Details Diff
Fix 0017297: XSS in string_insert_hrefs

The URL matching regex in the function did not validate the protocol,
allowing an attacker to use 'javascript://' to execute arbitrary code.

Issue was discovered by Mathias Karlsson (http://mathiaskarlsson.me)
and reported by Offensive Security (http://www.offensive-security.com/).
Affected Issues
0017297
mod - core/string_api.php Diff File

Issue History

Date Modified Username Field Change
2014-05-08 07:03 muts New Issue
2014-05-08 07:03 muts Note Added: 0040232
2014-05-08 10:20 dregad Status new => acknowledged
2014-05-08 10:20 dregad View Status public => private
2014-05-21 14:58 atrol Relationship added related to 0017362
2014-05-29 03:27 grangeway Assigned To => grangeway
2014-05-29 03:27 grangeway Status acknowledged => assigned
2014-11-07 17:15 atrol Assigned To grangeway =>
2014-11-07 17:15 atrol Status assigned => acknowledged
2014-11-14 19:14 dregad Severity minor => major
2014-11-14 19:14 dregad Status acknowledged => confirmed
2014-11-14 19:14 dregad Target Version => 1.2.18
2014-11-14 19:14 dregad Summary Persistent XSS in mantis BT => XSS in string_insert_hrefs allows script execution
2014-11-14 19:17 dregad Product Version => 1.2.0a1
2014-11-14 19:27 dregad Relationship replaced child of 0017362
2014-11-27 19:13 dregad Note Added: 0041934
2014-12-01 02:23 dregad Changeset attached => MantisBT master-1.2.x 05378e00
2014-12-01 02:23 dregad Assigned To => dregad
2014-12-01 02:23 dregad Status confirmed => resolved
2014-12-01 02:23 dregad Resolution open => fixed
2014-12-01 02:23 dregad Fixed in Version => 1.2.18
2014-12-01 02:28 dregad View Status private => public
2014-12-01 02:28 dregad Note Added: 0041948
2014-12-05 03:05 dregad Summary XSS in string_insert_hrefs allows script execution => CVE-2014-9272: XSS in string_insert_hrefs allows script execution
2014-12-05 18:14 dregad Changeset attached => MantisBT master 66c142dc
2014-12-05 18:33 dregadmin Status resolved => closed