View Issue Details

IDProjectCategoryView StatusLast Update
0022568mantisbtsecuritypublic2017-04-01 00:13
ReporterYelinAndZhangdongshengAssigned Todregad 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.0-beta.1 
Target Version1.3.9Fixed in Version1.3.9 
Summary0022568: CVE-2017-7241: XSS in move_attachments_page.php
Description

Cross-Site Scripting Vulnerability in 'move_attachments_page.php' page.

The admin/move_attachments_page.php page 'type' parameter in MantisBT is vulnerable to a cross-site scripting vulnerability when Javascript is supplied via GET or POST request.

The exploitation example below uses the "alert()" JavaScript function to display "XSS" word.

Steps To Reproduce

Install the latest Mantisbt with all default settings. Log in as administrator
Navigate to the URL:
http://mantisServerIP/admin/move_attachments_page.php?type="><script>alert('XSSVenusTech')</script>

Unexpected result:
There is a popup wizard saying 'XSSvenusTech'

Additional Information

You are highly appreciated to confirm and log a CVE for this issue.
Reporter:
Yelin and Zhangdongsheng from VenusTech (http://www.venustech.com.cn)

TagsNo tags attached.

Relationships

related to 0015496 closeddregad Script to move attachments from db to disk not working 
parent of 0022614 closeddregad CVE-2017-7241: XSS in move_attachments_page.php 
parent of 0022615 closeddregad CVE-2017-7241: XSS in move_attachments_page.php 

Activities

dregad

dregad

2017-03-23 05:48

developer   ~0056173

Last edited: 2017-03-23 05:58

View 2 revisions

Issue introduced in 1.3.0-beta.1 MantisBT master 8b29d42b

Edit: actually, first affected version is 1.2.16 MantisBT master-1.2.x 6da8b234

dregad

dregad

2017-03-23 09:46

developer   ~0056177

CVE Request 310067

dregad

dregad

2017-03-24 12:17

developer   ~0056184

@YelinAndZhangdongsheng please find attached a patch that I believe will addresses the issue, and kindly confirm that it does for you as well.



0001-Fix-XSS-in-move_attachments_page.php.patch (1,225 bytes)
From 2b9c1ad16c063ec97a298b877631b75d8a6d5922 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Fri, 24 Mar 2017 17:02:07 +0100
Subject: [PATCH] Fix XSS in move_attachments_page.php

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Move Attachments admin page, allowing
an attacker to inject arbitrary code through a crafted 'type'
parameter.

Sanitize the 'type' parameter prior to output, to ensure HTML special
characters are properly escaped.

Fixes #22568
---
 admin/move_attachments_page.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/admin/move_attachments_page.php b/admin/move_attachments_page.php
index c7c806e..96dfe35 100644
--- a/admin/move_attachments_page.php
+++ b/admin/move_attachments_page.php
@@ -188,7 +188,7 @@ if( isset( $t_projects[ALL_PROJECTS] ) ) {
 	
 </table>
 <div class="widget-toolbox padding-8 clearfix">
-	<input name="type" type="hidden" value="<?php echo $f_file_type ?>" />
+	<input name="type" type="hidden" value="<?php echo string_attribute( $f_file_type); ?>" />
 	<input type="submit" class="btn btn-primary btn-white btn-round" value="Move Attachments" />
 </div>
 </div>
-- 
2.7.4

dregad

dregad

2017-03-24 12:25

developer   ~0056185

Oh and one more thing, it would be nice of you to tell us if you are still researching additional security issues in MantisBT, and expect to be filing additional issues in the next few days. If so, we would postpone releasing the new versions until you're done, to reduce our overhead in preparing the releases. Thanks in advance for your understanding.

YelinAndZhangdongsheng

YelinAndZhangdongsheng

2017-03-25 01:41

reporter   ~0056190

Thanks for the prompt proceeding.
We confirmed the problem is addressed by the attachment patch.

We do not linger to gather security issues to keep them, but walk on,
for security issues might keep themselves blooming all the way.
When we have insights, we will share.
Please feel free to release the build in your tempo as no security backlog at this moment.

Bests,
Yelin and Zhangdongsheng

YelinAndZhangdongsheng

YelinAndZhangdongsheng

2017-03-25 03:01

reporter   ~0056191

@dregad
Please hold on release product new version for a while.
We might run into another security vulnerability candidate and will come back to you in half hour after double check it.
Bests,
Yelin and Zhangdongsheng

dregad

dregad

2017-03-31 04:01

developer   ~0056295

OSS-security mailing list announcement http://www.openwall.com/lists/oss-security/2017/03/30/4

Related Changesets

MantisBT: master-1.3.x d31841c8

2017-03-24 12:02:07

dregad

Details Diff
Fix XSS in move_attachments_page.php

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Move Attachments admin page, allowing
an attacker to inject arbitrary code through a crafted 'type'
parameter.

Sanitize the 'type' parameter prior to output, to ensure HTML special
characters are properly escaped.

Fixes 0022568

Backported from 2.2.x ecef0e9b523a460709e8feedfce72f05bb30b992
Conflicts:
admin/move_attachments_page.php
mod - admin/move_attachments_page.php Diff File

MantisBT: master-2.1 2d55c647

2017-03-24 12:02:07

dregad

Details Diff
Fix XSS in move_attachments_page.php

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Move Attachments admin page, allowing
an attacker to inject arbitrary code through a crafted 'type'
parameter.

Sanitize the 'type' parameter prior to output, to ensure HTML special
characters are properly escaped.

Fixes 0022568
mod - admin/move_attachments_page.php Diff File

MantisBT: master-2.2 ecef0e9b

2017-03-24 12:02:07

dregad

Details Diff
Fix XSS in move_attachments_page.php

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Move Attachments admin page, allowing
an attacker to inject arbitrary code through a crafted 'type'
parameter.

Sanitize the 'type' parameter prior to output, to ensure HTML special
characters are properly escaped.

Fixes 0022568
mod - admin/move_attachments_page.php Diff File

Issue History

Date Modified Username Field Change
2017-03-22 16:42 YelinAndZhangdongsheng New Issue
2017-03-22 17:15 atrol Status new => confirmed
2017-03-22 17:15 atrol Relationship added related to 0015496
2017-03-23 05:48 dregad Product Version 2.2.2 => 1.3.0-beta.1
2017-03-23 05:48 dregad Target Version => 1.3.9
2017-03-23 05:48 dregad Note Added: 0056173
2017-03-23 05:58 dregad Note Edited: 0056173 View Revisions
2017-03-23 09:46 dregad Assigned To => dregad
2017-03-23 09:46 dregad Status confirmed => assigned
2017-03-23 09:46 dregad Note Added: 0056177
2017-03-24 12:17 dregad File Added: 0001-Fix-XSS-in-move_attachments_page.php.patch
2017-03-24 12:17 dregad Note Added: 0056184
2017-03-24 12:19 dregad Summary XSS in move_attachments_page.php => CVE-2017-7241: XSS in move_attachments_page.php
2017-03-24 12:25 dregad Note Added: 0056185
2017-03-25 01:41 YelinAndZhangdongsheng Note Added: 0056190
2017-03-25 03:01 YelinAndZhangdongsheng Note Added: 0056191
2017-03-30 12:04 dregad Changeset attached => MantisBT master-1.3.x d31841c8
2017-03-30 12:04 dregad Status assigned => resolved
2017-03-30 12:04 dregad Resolution open => fixed
2017-03-30 12:04 dregad Fixed in Version => 1.3.9
2017-03-30 12:04 dregad Changeset attached => MantisBT master-2.1 2d55c647
2017-03-30 12:05 dregad Changeset attached => MantisBT master-2.2 ecef0e9b
2017-03-30 12:12 dregad Issue cloned: 0022614
2017-03-30 12:12 dregad Relationship added parent of 0022614
2017-03-30 12:13 dregad Issue cloned: 0022615
2017-03-30 12:13 dregad Relationship added parent of 0022615
2017-03-30 12:15 dregad View Status private => public
2017-03-31 04:01 dregad Note Added: 0056295
2017-04-01 00:13 vboctoradmin Status resolved => closed