View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0019301 | mantisbt | security | public | 2015-01-30 01:18 | 2016-08-15 09:02 |
Reporter | best2121 | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | ubuntu 14.01 | ||||
Product Version | 1.2.13 | ||||
Target Version | 1.2.20 | Fixed in Version | 1.2.20 | ||
Summary | 0019301: CVE-2015-2046 : XSS in adm_config_report.php (FG-VD-15-008) | ||||
Description | Vulnerability Notification Dear MantisBT, The following information pertains to information discovered by Fortinet's FortiGuard Labs. It has been determined that a vulnerability exists in MantisBT. To streamline the disclosure process, we have created a preliminary advisory which you can find below. This upcoming advisory is purely intended as a reference, and does not contain sensitive information such as proof of concept code. As a mature corporation involved in security research, we strive to responsibly disclose vulnerability information. We will not post an advisory until we determine it is appropriate to do so in co-ordination with the vendor unless one the following situations occur: 1)If public proof of concept code is released, increasing the danger of the vulnerability being exploited in the wild We look forward to working closely with you to resolve this issue, and kindly ask for your co-operation during this time. Please let us know if you have any further questions, and we will promptly respond to address any issues. If this message is not encrypted, it is because we could not find your key to do so. If you have one available for use, please notify us and we will ensure that this is used in future correspondence. We ask you use our public PGP key to encrypt and communicate any sensitive information with us. You may find the key on our FortiGuard center at: http://www.fortiguardcenter.com/pgp_key.html Type of Vulnerability & Repercussions: Affected Software: Upcoming Advisory Reference: Credits: Proof of Concept: http://172.22.5.7/mantis/adm_config_report.php?save=1&filter_user_id=0&filter_project_id=0&filter_config_id=1'+selected="selected"+><script>alert(1234567);</script>+<option+value='1&apply_filter_button=Apply+Filter Notes: Additional Information: | ||||
Steps To Reproduce | After logging into Mantis as administrator, paste the following PoC in Firefox address bar. Firefox pops up a dialog with a value specified in the PoC. http://172.22.5.7/mantis/adm_config_report.php?save=1&filter_user_id=0&filter_project_id=0&filter_config_id=1'+selected="selected"+><script>alert(1234567);</script>+<option+value='1&apply_filter_button=Apply+Filter | ||||
Tags | No tags attached. | ||||
Attached Files | 0001-Fix-19301-XSS-in-adm_config_report.php.patch (2,216 bytes)
From 0b4546365817a6024d773e5ce66492351c8f7fc9 Mon Sep 17 00:00:00 2001 From: Damien Regad <dregad@mantisbt.org> Date: Fri, 30 Jan 2015 23:50:40 +0100 Subject: [PATCH] Fix #19301: XSS in adm_config_report.php The 'filter_config_id' was not properly sanitized before being displayed. This vulnerability was discovered by Fortinet's FortiGuard Labs. --- adm_config_report.php | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/adm_config_report.php b/adm_config_report.php index d762491..6370d93 100644 --- a/adm_config_report.php +++ b/adm_config_report.php @@ -103,6 +103,21 @@ } } + /** + * Ensures the given config is valid + * @param string $p_config Configuration name + * @return string|integer Config name if valid, or META_FILTER_NONE of not + */ + function check_config_value( $p_config ) { + if( $p_config != META_FILTER_NONE + && !is_blank( $p_config ) + && is_null( @config_get_global( $p_config ) ) + ) { + return META_FILTER_NONE; + } + return $p_config; + } + # Get filter values $t_filter_save = gpc_get_bool( 'save' ); @@ -119,7 +134,7 @@ } else { $t_filter_user_value = gpc_get_int( 'filter_user_id', ALL_USERS ); $t_filter_project_value = gpc_get_int( 'filter_project_id', ALL_PROJECTS ); - $t_filter_config_value = gpc_get_string( 'filter_config_id', META_FILTER_NONE ); + $t_filter_config_value = check_config_value( gpc_get_string( 'filter_config_id', META_FILTER_NONE ) ); } # Manage filter's persistency through cookie @@ -144,18 +159,11 @@ $t_filter_user_value = $t_cookie_contents[0]; $t_filter_project_value = $t_cookie_contents[1]; - $t_filter_config_value = $t_cookie_contents[2]; + $t_filter_config_value = check_config_value( $t_cookie_contents[2] ); if( $t_filter_project_value != META_FILTER_NONE && !project_exists( $t_filter_project_value ) ) { $t_filter_project_value = ALL_PROJECTS; } - - if( $t_filter_config_value != META_FILTER_NONE - && !is_blank( $t_filter_config_value ) - && @config_get_global( $t_filter_config_value ) === null - ) { - $t_filter_config_value = META_FILTER_NONE; - } } } -- 2.1.0 | ||||
related to | 0017889 | closed | dregad | CVE-2014-8986: adm_config_report.php filtering does not check config option is valid |
has duplicate | 0020108 | closed | dregad | CVE-2015-2046 : XSS in adm_config_report.php (FG-VD-15-008) |
related to | 0019384 | closed | atrol | Multiple Cross-Site Scripting Vulnerabilities |
related to | 0020107 | closed | cproensa | config report filter by option name doesnt work for some options |
Many thanks for the bug report. I will look into it and let you know if I need additional information. |
|
I can confirm the issue exists in MantisBT 1.2.13 onwards. It's worth mentioning that in versions 1.2.13 to 1.2.16, using the provided steps to reproduce as-is actually triggers an SQL error, which means that they are also likely vulnerable to SQL injection too. Using a slightly modified URL does allows javascript execution. Versions <= 1.2.12 are not affected (the filters did not exist then). In 1.3.x branch (>= 1.3.0-beta.1), the vulnerability exists as well although CSP effectively prevents script execution on supported browsers. |
|
Have you already reserved a CVE for this issue ? If so, please let me know the ID when you have it. If not, are you planning to get one, or do you mind if I do it myself (giving you proper credit of course). |
|
I have not reserved a CVE for the issue, please get a CVE yourself, thanks. |
|
OK, will do. I would appreciate if you could review and test the proposed patch (attached), and confirm that it fully resolves the issue. |
|
I confirm the xss issue have been resolved after apply the proposed patch. (apply patch cli: patch -p1 < 0001-Fix-19301-XSS-in-adm_config_report.php.patch) If have other question, please let me known. |
|
CVE request http://article.gmane.org/gmane.comp.security.oss.general/15760 |
|
grangeway pointed out [1] that this might actually be the same issue as his original discovery (see 0017889), so marking that issue as related to this one. [1] http://article.gmane.org/gmane.comp.security.oss.general/15765 |
|
When will the mantisbt version fixing the issue be released ? |
|
When will the official patch be released? Thanks, |
|
Can you add the XSS vulnerability credit(CVE-2015-2046) in changelog for MantisBT 1.3.0-beta-3, I see MantisBT 1.3.0-beta-3 have Released on 2015-09-06. The vulnerability had reported on six months ago. |
|
Done 0020108 |
|
Can you please make following change? When will the official fix be released?
==>
|
|
MantisBT: master-1.2.x 6defeed5 2015-01-30 12:50 Details Diff |
Fix 0019301: XSS in adm_config_report.php The 'filter_config_id' was not properly sanitized before being displayed. This vulnerability was discovered by Fortinet's FortiGuard Labs. |
Affected Issues 0019301 |
|
mod - adm_config_report.php | Diff File | ||
MantisBT: master 3c6f6e56 2015-01-30 12:50 Details Diff |
Fix 0019301: XSS in adm_config_report.php The 'filter_config_id' was not properly sanitized before being displayed. This vulnerability was discovered by Fortinet's FortiGuard Labs. |
Affected Issues 0019301, 0020108 |
|
mod - adm_config_report.php | Diff File |