View Issue Details

IDProjectCategoryView StatusLast Update
0022568mantisbtsecuritypublic2017-04-01 00:13
ReporterYelinAndZhangdongsheng Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.0-beta.1 
Target Version1.3.9Fixed in Version1.3.9 
Summary0022568: CVE-2017-7241: XSS in move_attachments_page.php
Description

Cross-Site Scripting Vulnerability in 'move_attachments_page.php' page.

The admin/move_attachments_page.php page 'type' parameter in MantisBT is vulnerable to a cross-site scripting vulnerability when Javascript is supplied via GET or POST request.

The exploitation example below uses the "alert()" JavaScript function to display "XSS" word.

Steps To Reproduce

Install the latest Mantisbt with all default settings. Log in as administrator
Navigate to the URL:
http://mantisServerIP/admin/move_attachments_page.php?type="><script>alert('XSSVenusTech')</script>

Unexpected result:
There is a popup wizard saying 'XSSvenusTech'

Additional Information

You are highly appreciated to confirm and log a CVE for this issue.
Reporter:
Yelin and Zhangdongsheng from VenusTech (http://www.venustech.com.cn)

TagsNo tags attached.
Attached Files

Relationships

related to 0015496 closeddregad Script to move attachments from db to disk not working 
parent of 0022614 closeddregad CVE-2017-7241: XSS in move_attachments_page.php 
parent of 0022615 closeddregad CVE-2017-7241: XSS in move_attachments_page.php 

Activities

dregad

dregad

2017-03-23 05:48

developer   ~0056173

Last edited: 2017-03-23 05:58

Issue introduced in 1.3.0-beta.1 MantisBT master 8b29d42b

Edit: actually, first affected version is 1.2.16 MantisBT master-1.2.x 6da8b234

dregad

dregad

2017-03-23 09:46

developer   ~0056177

CVE Request 310067

dregad

dregad

2017-03-24 12:17

developer   ~0056184

@YelinAndZhangdongsheng please find attached a patch that I believe will addresses the issue, and kindly confirm that it does for you as well.

0001-Fix-XSS-in-move_attachments_page.php.patch (1,225 bytes)   
From 2b9c1ad16c063ec97a298b877631b75d8a6d5922 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Fri, 24 Mar 2017 17:02:07 +0100
Subject: [PATCH] Fix XSS in move_attachments_page.php

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Move Attachments admin page, allowing
an attacker to inject arbitrary code through a crafted 'type'
parameter.

Sanitize the 'type' parameter prior to output, to ensure HTML special
characters are properly escaped.

Fixes #22568
---
 admin/move_attachments_page.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/admin/move_attachments_page.php b/admin/move_attachments_page.php
index c7c806e..96dfe35 100644
--- a/admin/move_attachments_page.php
+++ b/admin/move_attachments_page.php
@@ -188,7 +188,7 @@ if( isset( $t_projects[ALL_PROJECTS] ) ) {
 	
 </table>
 <div class="widget-toolbox padding-8 clearfix">
-	<input name="type" type="hidden" value="<?php echo $f_file_type ?>" />
+	<input name="type" type="hidden" value="<?php echo string_attribute( $f_file_type); ?>" />
 	<input type="submit" class="btn btn-primary btn-white btn-round" value="Move Attachments" />
 </div>
 </div>
-- 
2.7.4

dregad

dregad

2017-03-24 12:25

developer   ~0056185

Oh and one more thing, it would be nice of you to tell us if you are still researching additional security issues in MantisBT, and expect to be filing additional issues in the next few days. If so, we would postpone releasing the new versions until you're done, to reduce our overhead in preparing the releases. Thanks in advance for your understanding.

YelinAndZhangdongsheng

YelinAndZhangdongsheng

2017-03-25 01:41

reporter   ~0056190

Thanks for the prompt proceeding.
We confirmed the problem is addressed by the attachment patch.

We do not linger to gather security issues to keep them, but walk on,
for security issues might keep themselves blooming all the way.
When we have insights, we will share.
Please feel free to release the build in your tempo as no security backlog at this moment.

Bests,
Yelin and Zhangdongsheng

YelinAndZhangdongsheng

YelinAndZhangdongsheng

2017-03-25 03:01

reporter   ~0056191

@dregad
Please hold on release product new version for a while.
We might run into another security vulnerability candidate and will come back to you in half hour after double check it.
Bests,
Yelin and Zhangdongsheng

dregad

dregad

2017-03-31 04:01

developer   ~0056295

OSS-security mailing list announcement http://www.openwall.com/lists/oss-security/2017/03/30/4

Related Changesets

MantisBT: master-1.3.x d31841c8

2017-03-24 08:02

dregad


Details Diff
Fix XSS in move_attachments_page.php

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Move Attachments admin page, allowing
an attacker to inject arbitrary code through a crafted 'type'
parameter.

Sanitize the 'type' parameter prior to output, to ensure HTML special
characters are properly escaped.

Fixes 0022568

Backported from 2.2.x ecef0e9b523a460709e8feedfce72f05bb30b992
Conflicts:
admin/move_attachments_page.php
Affected Issues
0022568
mod - admin/move_attachments_page.php Diff File

MantisBT: master-2.1 2d55c647

2017-03-24 08:02

dregad


Details Diff
Fix XSS in move_attachments_page.php

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Move Attachments admin page, allowing
an attacker to inject arbitrary code through a crafted 'type'
parameter.

Sanitize the 'type' parameter prior to output, to ensure HTML special
characters are properly escaped.

Fixes 0022568
Affected Issues
0022568
mod - admin/move_attachments_page.php Diff File

MantisBT: master-2.2 ecef0e9b

2017-03-24 08:02

dregad


Details Diff
Fix XSS in move_attachments_page.php

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Move Attachments admin page, allowing
an attacker to inject arbitrary code through a crafted 'type'
parameter.

Sanitize the 'type' parameter prior to output, to ensure HTML special
characters are properly escaped.

Fixes 0022568
Affected Issues
0022568
mod - admin/move_attachments_page.php Diff File