View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0017297mantisbtsecuritypublic2014-05-08 07:032014-12-05 18:33
Reportermuts Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.0a1 
Target Version1.2.18Fixed in Version1.2.18 
Summary0017297: CVE-2014-9272: XSS in string_insert_hrefs allows script execution
Description

Add a bugnote with this line for
PoC: &javascript://%E2%80%A8alert(document.domain)

The problem lies in
https://github.com/mantisbt/mantisbt/blob/master/core/string_api.php, the
function "string_insert_hrefs" doesn't validate the protocol, which is why
one can make this link (with some quirks) and execute javascript.

TagsNo tags attached.

Relationships

child of 0017362 closeddregad Multiple vulnerabilities in MantisBT 

Activities

muts

muts

2014-05-08 07:03

reporter   ~0040232

&javascript://%E2%80%A8alert(document.domain)
dregad

dregad

2014-11-27 19:13

developer   ~0041934

I'm thinking of restricting the list of "valid" URI schemes that get turned into anchor links using the following regex:

(?:https?|s?ftp|file|irc[6s]?|ssh|telnet|nntp|git|svn(?:+ssh)?|cvs):\/\/

Anything you believe should be added to that list ?
dregad

dregad

2014-12-01 02:28

developer   ~0041948

CVE request sent http://thread.gmane.org/gmane.comp.security.oss.general/14956

Related Changesets

MantisBT: master-1.2.x 05378e00

2014-11-27 14:15

dregad


Details Diff		 Fix 0017297: XSS in string_insert_hrefs

The URL matching regex in the function did not validate the protocol,
allowing an attacker to use 'javascript://' to execute arbitrary code.

Issue was discovered by Mathias Karlsson (http://mathiaskarlsson.me)
and reported by Offensive Security (http://www.offensive-security.com/).		 Affected Issues
0017297
mod - core/string_api.php Diff File

MantisBT: master 66c142dc

2014-11-27 14:15

dregad


Details Diff		 Fix 0017297: XSS in string_insert_hrefs

The URL matching regex in the function did not validate the protocol,
allowing an attacker to use 'javascript://' to execute arbitrary code.

Issue was discovered by Mathias Karlsson (http://mathiaskarlsson.me)
and reported by Offensive Security (http://www.offensive-security.com/).		 Affected Issues
0017297
mod - core/string_api.php Diff File