View Issue Details

IDProjectCategoryView StatusLast Update
0021090mantisbtsecuritypublic2016-06-12 00:42
Reporterdregad Assigned Todregad  
Status closedResolutionfixed 
Product Version1.3.0-beta.1 
Target Version1.3.0-rc.2Fixed in Version1.3.0-rc.2 
Summary0021090: CVE-2016-5364: Reflected XSS inside manage_custom_field_edit_page.php

This is a clone of 0020956 to track the vulnerability in 1.3.x branch

TagsNo tags attached.


duplicate of 0020956 closeddregad CVE-2016-5364: Reflected XSS inside manage_custom_field_edit_page.php 


There are no notes attached to this issue.

Related Changesets

MantisBT: master 11ab3d6c

2016-05-27 05:39:58


Details Diff
Fix XSS in custom fields management

Kacper Szurek ( discovered an XSS
vulnerability in Custom fields management pages, caused by unescaped
output of 'return URL' GPC parameter. His report describes two ways to
exploit this issue:

1. using 'accesskey' inside hidden input field (see [1]) reflects XSS to
the administrator in manage_custom_field_edit_page.php when the
keyboard shortcut is actioned
2. using 'javascript:' URI scheme executes the code when the user clicks
the [Proceed] link on manage_custom_field_update.php after updating
a custom field

This commit fixes both attack vectors:

- properly escape the return URL prior to printing it on the hidden form
- let html_operation_successful() sanitize the URL before displaying
it, just like html_meta_redirect() does. In this case, if the
string contains an URI scheme, it will be replaced by 'index.php'


Fixes 0020956
Affected Issues
0020956, 0021090
mod - core/html_api.php Diff File
mod - manage_custom_field_edit_page.php Diff File