View Issue Details

IDProjectCategoryView StatusLast Update
0019301mantisbtsecuritypublic2016-08-15 09:02
Reporterbest2121 Assigned Todregad  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Platformubuntu 14.01 
Product Version1.2.13 
Target Version1.2.20Fixed in Version1.2.20 
Summary0019301: CVE-2015-2046 : XSS in adm_config_report.php (FG-VD-15-008)
Description

Vulnerability Notification
Jan 29, 2015
Tracking Case #: FG-VD-15-008

Dear MantisBT,

The following information pertains to information discovered by Fortinet's FortiGuard Labs. It has been determined that a vulnerability exists in MantisBT. To streamline the disclosure process, we have created a preliminary advisory which you can find below. This upcoming advisory is purely intended as a reference, and does not contain sensitive information such as proof of concept code.

As a mature corporation involved in security research, we strive to responsibly disclose vulnerability information. We will not post an advisory until we determine it is appropriate to do so in co-ordination with the vendor unless one the following situations occur:

1)If public proof of concept code is released, increasing the danger of the vulnerability being exploited in the wild
2)A patch or update has been released to provide protection against the given vulnerability
3)We receive explicit permission from the vendor

We look forward to working closely with you to resolve this issue, and kindly ask for your co-operation during this time. Please let us know if you have any further questions, and we will promptly respond to address any issues.

If this message is not encrypted, it is because we could not find your key to do so. If you have one available for use, please notify us and we will ensure that this is used in future correspondence. We ask you use our public PGP key to encrypt and communicate any sensitive information with us. You may find the key on our FortiGuard center at: http://www.fortiguardcenter.com/pgp_key.html

Type of Vulnerability & Repercussions:
Cross-Site Scripting

Affected Software:
mantisbt-1.2.19

Upcoming Advisory Reference:
http://www.fortiguard.com/advisory/UpcomingAdvisories.html

Credits:
This vulnerability was discovered by Fortinet's FortiGuard Labs.

Proof of Concept:
After logging into Mantis as administrator, paste the following PoC in Firefox address bar. Firefox pops up a dialog with a value specified in the PoC.

http://172.22.5.7/mantis/adm_config_report.php?save=1&filter_user_id=0&filter_project_id=0&filter_config_id=1'+selected="selected"+><script>alert(1234567);</script>+<option+value='1&apply_filter_button=Apply+Filter
http://172.22.5.7/mantis/adm_config_report.php?save=1&amp;filter_user_id=0&amp;filter_project_id=0&amp;filter_config_id=1'+selected=&quot;selected&quot;+>&lt;/select>&lt;/td>&lt;/tr>&lt;/table>&lt;/form>&lt;img onerror=alert(1) src=a>+<form><table><tr><td><select><option+value='1&apply_filter_button=Apply+Filter

Notes:
1) 172.22.5.7 is the IP address of mantis.
2) The PoCs work in both Firefox and IE11. To have the PoC work in IE, you need to manually disable the IE XSS filter.
3) Tested on following flatforms:
Ubuntu 14.01 x64 with mantisbt-1.2.19

Additional Information:
Reflected Cross-Site Scripting vulnerability is discovered in Mantis. Attackers can include malicious script code to manipulate specific user requests & modules. The vulnerability also allows attackers to hijack users' sessions with injected script code.

Steps To Reproduce

After logging into Mantis as administrator, paste the following PoC in Firefox address bar. Firefox pops up a dialog with a value specified in the PoC.

http://172.22.5.7/mantis/adm_config_report.php?save=1&amp;filter_user_id=0&amp;filter_project_id=0&amp;filter_config_id=1'+selected=&quot;selected&quot;+>&lt;script>alert(1234567);&lt;/script>+&lt;option+value='1&amp;apply_filter_button=Apply+Filter
http://172.22.5.7/mantis/adm_config_report.php?save=1&amp;filter_user_id=0&amp;filter_project_id=0&amp;filter_config_id=1'+selected=&quot;selected&quot;+>&lt;/select>&lt;/td>&lt;/tr>&lt;/table>&lt;/form>&lt;img onerror=alert(1) src=a>+<form><table><tr><td><select><option+value='1&apply_filter_button=Apply+Filter

TagsNo tags attached.
Attached Files
0001-Fix-19301-XSS-in-adm_config_report.php.patch (2,216 bytes)   
From 0b4546365817a6024d773e5ce66492351c8f7fc9 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Fri, 30 Jan 2015 23:50:40 +0100
Subject: [PATCH] Fix #19301: XSS in adm_config_report.php

The 'filter_config_id' was not properly sanitized before being
displayed.

This vulnerability was discovered by Fortinet's FortiGuard Labs.
---
 adm_config_report.php | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/adm_config_report.php b/adm_config_report.php
index d762491..6370d93 100644
--- a/adm_config_report.php
+++ b/adm_config_report.php
@@ -103,6 +103,21 @@
 		}
 	}
 
+	/**
+	 * Ensures the given config is valid
+	 * @param string $p_config Configuration name
+	 * @return string|integer Config name if valid, or META_FILTER_NONE of not
+	 */
+	function check_config_value( $p_config ) {
+		if(    $p_config != META_FILTER_NONE
+		   && !is_blank( $p_config )
+		   && is_null( @config_get_global( $p_config ) )
+		) {
+			return META_FILTER_NONE;
+		}
+		return $p_config;
+	}
+
 
 	# Get filter values
 	$t_filter_save          = gpc_get_bool( 'save' );
@@ -119,7 +134,7 @@
 	} else {
 		$t_filter_user_value    = gpc_get_int( 'filter_user_id', ALL_USERS );
 		$t_filter_project_value = gpc_get_int( 'filter_project_id', ALL_PROJECTS );
-		$t_filter_config_value  = gpc_get_string( 'filter_config_id', META_FILTER_NONE );
+		$t_filter_config_value  = check_config_value( gpc_get_string( 'filter_config_id', META_FILTER_NONE ) );
 	}
 
 	# Manage filter's persistency through cookie
@@ -144,18 +159,11 @@
 
 			$t_filter_user_value    = $t_cookie_contents[0];
 			$t_filter_project_value = $t_cookie_contents[1];
-			$t_filter_config_value  = $t_cookie_contents[2];
+			$t_filter_config_value  = check_config_value( $t_cookie_contents[2] );
 
 			if( $t_filter_project_value != META_FILTER_NONE && !project_exists( $t_filter_project_value ) ) {
 				$t_filter_project_value = ALL_PROJECTS;
 			}
-
-			if(    $t_filter_config_value != META_FILTER_NONE
-			   && !is_blank( $t_filter_config_value )
-			   && @config_get_global( $t_filter_config_value ) === null
-			) {
-				$t_filter_config_value = META_FILTER_NONE;
-			}
 		}
 	}
 
-- 
2.1.0

Relationships

related to 0017889 closeddregad CVE-2014-8986: adm_config_report.php filtering does not check config option is valid 
has duplicate 0020108 closeddregad CVE-2015-2046 : XSS in adm_config_report.php (FG-VD-15-008) 
related to 0019384 closedatrol Multiple Cross-Site Scripting Vulnerabilities 
related to 0020107 closedcproensa config report filter by option name doesnt work for some options 

Activities

dregad

dregad

2015-01-30 02:55

developer   ~0048738

Many thanks for the bug report. I will look into it and let you know if I need additional information.

dregad

dregad

2015-01-30 11:10

developer   ~0048747

I can confirm the issue exists in MantisBT 1.2.13 onwards.

It's worth mentioning that in versions 1.2.13 to 1.2.16, using the provided steps to reproduce as-is actually triggers an SQL error, which means that they are also likely vulnerable to SQL injection too. Using a slightly modified URL does allows javascript execution.

Versions <= 1.2.12 are not affected (the filters did not exist then).

In 1.3.x branch (>= 1.3.0-beta.1), the vulnerability exists as well although CSP effectively prevents script execution on supported browsers.

dregad

dregad

2015-01-30 11:21

developer   ~0048748

Have you already reserved a CVE for this issue ? If so, please let me know the ID when you have it. If not, are you planning to get one, or do you mind if I do it myself (giving you proper credit of course).

best2121

best2121

2015-01-30 18:46

reporter   ~0048751

I have not reserved a CVE for the issue, please get a CVE yourself, thanks.

dregad

dregad

2015-02-02 05:13

developer   ~0048766

OK, will do.

I would appreciate if you could review and test the proposed patch (attached), and confirm that it fully resolves the issue.

best2121

best2121

2015-02-02 05:43

reporter   ~0048767

I confirm the xss issue have been resolved after apply the proposed patch. (apply patch cli: patch -p1 < 0001-Fix-19301-XSS-in-adm_config_report.php.patch)

If have other question, please let me known.

dregad

dregad

2015-02-09 16:54

developer   ~0048807

CVE request http://article.gmane.org/gmane.comp.security.oss.general/15760

dregad

dregad

2015-02-13 16:58

developer   ~0048819

grangeway pointed out [1] that this might actually be the same issue as his original discovery (see 0017889), so marking that issue as related to this one.

[1] http://article.gmane.org/gmane.comp.security.oss.general/15765

best2121

best2121

2015-03-03 01:59

reporter   ~0049123

When will the mantisbt version fixing the issue be released ?

best2121

best2121

2015-04-22 21:24

reporter   ~0050601

When will the official patch be released?

Thanks,

best2121

best2121

2015-09-10 19:11

reporter   ~0051443

Can you add the XSS vulnerability credit(CVE-2015-2046) in changelog for MantisBT 1.3.0-beta-3, I see MantisBT 1.3.0-beta-3 have Released on 2015-09-06. The vulnerability had reported on six months ago.

dregad

dregad

2015-09-14 03:21

developer   ~0051460

Done 0020108

best2121

best2121

2015-09-23 21:03

reporter   ~0051525

Can you please make following change? When will the official fix be released?

  • 0020108: [security] CVE-2015-2046 : XSS in adm_config_report.php (FG-VD-15-008) (dregad) - resolved.

==>

  • 0020108: [security] CVE-2015-2046 : XSS in adm_config_report.php (discovered by Fortinet's FortiGuard Labs) (dregad) - resolved.

Related Changesets

MantisBT: master-1.2.x 6defeed5

2015-01-30 12:50

dregad


Details Diff
Fix 0019301: XSS in adm_config_report.php

The 'filter_config_id' was not properly sanitized before being
displayed.

This vulnerability was discovered by Fortinet's FortiGuard Labs.
Affected Issues
0019301
mod - adm_config_report.php Diff File

MantisBT: master 3c6f6e56

2015-01-30 12:50

dregad


Details Diff
Fix 0019301: XSS in adm_config_report.php

The 'filter_config_id' was not properly sanitized before being
displayed.

This vulnerability was discovered by Fortinet's FortiGuard Labs.
Affected Issues
0019301, 0020108
mod - adm_config_report.php Diff File