View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017890 | mantisbt | security | public | 2014-11-15 11:49 | 2014-12-05 18:33 |
Reporter | grangeway | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.1.0a1 | ||||
Target Version | 1.2.18 | Fixed in Version | 1.2.18 | ||
Summary | 0017890: CVE-2014-9269: XSS in extended project browser | ||||
Description | When using the optional "Extended project browser", MantisBT becomes vulnerable to cross-site scripting attacks using forged cookies as vector. | ||||
Steps To Reproduce |
| ||||
Additional Information | Extended project browser allows projects to be passed in as A;B. helper_get_current_project() and helper_get_current_project_trace() then explodes the string by ';' and doesn't check that A is an int (representing a project/sub-project id). Finally, print_extended_project_browser() prints the result of the split into a javascript array. | ||||
Tags | No tags attached. | ||||
Attached Files | grangeway1.patch (1,924 bytes)
From 5c55e6c6357c67d91b5f4cbec5846c30e3b94ab8 Mon Sep 17 00:00:00 2001 From: Paul Richards <paul@mantisforge.org> Date: Sat, 18 Oct 2014 23:32:59 +0100 Subject: [PATCH] Fix Cross-Site Scripting issue via helper_get_current_project <paulr_> there's no bug in tracker for this one <paulr_> it's in helper get project trace <paulr_> anyway, helper_get_current_project_trace is WEIRD as it allows ;'s <paulr_> aka 0;0 <paulr_> when used with subproject browser <paulr_> there's a XSS "vulnerbility" in that PROJECT_COOKIE if you could get that set to something <paulr_> the subproject browser displays it in raw text <paulr_> so I think we should always cast as int <paulr_> a) whether there's any realistic way to exploit that... <paulr_> b) in 1.3, code in trace functions for ; <paulr_> but the 2 project browser weird thing is gone <dregad> you know, it would be a lot easier if you did this the right way, i.e. private issue on the tracker <dregad> and attach the patch to it ;) <paulr_> I couldn't work out before we the explode logic in trace actually is needed anymore --- core/helper_api.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/core/helper_api.php b/core/helper_api.php index 8579212..c88c747 100644 --- a/core/helper_api.php +++ b/core/helper_api.php @@ -232,6 +232,9 @@ function helper_get_current_project() { $t_project_id = $t_pref->default_project; } else { $t_project_id = explode( ';', $t_project_id ); + foreach( $t_project_id as $t_key => $t_id ) { + $t_project_id[$t_key] = (int)$t_id; + } $t_project_id = $t_project_id[count( $t_project_id ) - 1]; } @@ -272,6 +275,9 @@ function helper_get_current_project_trace() { } else { $t_project_id = explode( ';', $t_project_id ); + foreach( $t_project_id as $t_key => $t_id ) { + $t_project_id[$t_key] = (int)$t_id; + } $t_bottom = $t_project_id[count( $t_project_id ) - 1]; } -- 1.9.4.msysgit.1 | ||||
MantisBT: master-1.2.x 511564cc 2014-11-15 03:57 Details Diff |
Fix 0017890: XSS in extended project browser Extended project browser allows projects to be passed in as A;B. helper_get_current_project() and helper_get_current_project_trace() then explodes the string by ';' and don't check that A is an int (a project / sub-project id). Finally, print_extended_project_browser() prints the result of the split into a javascript array. Paul Richards discovered the issue and wrote the original patch for it. His code was modified to remove a redudant typecast as well as an unnecessary foreach loop in helper_get_current_project(), replacing it with a single type cast. |
Affected Issues 0017890 |
|
mod - core/helper_api.php | Diff File |