View Issue Details

IDProjectCategoryView StatusLast Update
0022579mantisbtsecuritypublic2017-04-01 00:13
ReporterYelinAndZhangdongshengAssigned Todregad 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.0-rc.2 
Target Version1.3.9Fixed in Version1.3.9 
Summary0022579: CVE-2017-7309: XSS in adm_config_report.php
Description

Cross-Site Scripting Vulnerability in 'adm_config_report.php' page.

The /adm_config_report.php page 'config_option' parameter in MantisBT is vulnerable to a cross-site scripting vulnerability when Javascript is supplied via GET or POST request.

The exploitation example below uses the "alert()" JavaScript function to display "XSS" word.

Steps To Reproduce

Install the latest Mantisbt with all default settings. Log in as administrator
Navigate to the URL:
http://mantisServer/adm_config_report.php?config_option="><script>alert('XSSVenusTech')</script>

Unexpected result:
There is a popup wizard saying 'XSSVenusTech'

Additional Information

You are highly appreciated to confirm and log a CVE for this issue.
Reporter:
Yelin and Zhangdongsheng from VenusTech (http://www.venustech.com.cn)

TagsNo tags attached.

Relationships

related to 0022537 closeddregad CVE-2017-6973: XSS in adm_config_report.php 
parent of 0022612 closeddregad CVE-2017-7309: XSS in adm_config_report.php 
parent of 0022613 closeddregad CVE-2017-7309: XSS in adm_config_report.php 
related to 0020058 closedcproensa Updating config items in configuration report adds new ones 

Activities

dregad

dregad

2017-03-25 07:26

developer   ~0056194

Last edited: 2017-03-25 10:27

View 2 revisions

Introduced as part of MantisBT master 13bda674 (issue 0020058)

dregad

dregad

2017-03-29 12:32

developer   ~0056266

CVE Request 313160

dregad

dregad

2017-03-30 11:44

developer   ~0056280

@YelinAndZhangdongsheng the attached patch (for 1.3.0 and 2.2 branches) resolves the issue.



0001-Fix-XSS-in-adm_config_report.php.patch-1.3.x (1,243 bytes)
0001-Fix-XSS-in-adm_config_report.php.patch-2.x (1,300 bytes)
YelinAndZhangdongsheng

YelinAndZhangdongsheng

2017-03-30 22:04

reporter   ~0056293

Yes. Neat fix.
We confirmed the output escaping counteracted this 'config_option' attack vector.
Bests,
Yelin and Zhangdongsheng

dregad

dregad

2017-03-31 03:58

developer   ~0056294

Thanks for the feedback. FYI, I announced the CVE's on the Open-Source Security mailing list last night.
http://www.openwall.com/lists/oss-security/2017/03/30/4

Related Changesets

MantisBT: master-1.3.x c9e5b1d0

2017-03-25 10:23:51

dregad

Details Diff
Fix XSS in adm_config_report.php

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Configuration Report page, allowing an
attacker to inject arbitrary code through a crafted 'config_option'
parameter.

Sanitize the parameter prior to output, to ensure HTML special
characters are properly escaped.

Fixes 0022579
mod - adm_config_report.php Diff File

MantisBT: master-2.1 0243375e

2017-03-25 10:23:51

dregad

Details Diff
Fix XSS in adm_config_report.php

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Configuration Report page, allowing an
attacker to inject arbitrary code through a crafted 'config_option'
parameter.

Sanitize the parameter prior to output, to ensure HTML special
characters are properly escaped.

Ported from 1.3.x commit c9e5b1d0404503022605459552faeaf610bf15ae.

Fixes 0022579
mod - adm_config_report.php Diff File

MantisBT: master-2.2 e881dd79

2017-03-25 10:23:51

dregad

Details Diff
Fix XSS in adm_config_report.php

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Configuration Report page, allowing an
attacker to inject arbitrary code through a crafted 'config_option'
parameter.

Sanitize the parameter prior to output, to ensure HTML special
characters are properly escaped.

Ported from 1.3.x commit c9e5b1d0404503022605459552faeaf610bf15ae.

Fixes 0022579
mod - adm_config_report.php Diff File

Issue History

Date Modified Username Field Change
2017-03-25 03:23 YelinAndZhangdongsheng New Issue
2017-03-25 06:51 dregad Relationship added related to 0022562
2017-03-25 07:00 dregad Relationship added related to 0022537
2017-03-25 07:11 dregad Relationship deleted related to 0022562
2017-03-25 07:13 dregad Status new => confirmed
2017-03-25 07:17 dregad Relationship added related to 0020058
2017-03-25 07:26 dregad Product Version 2.2.2 => 1.3.0-rc.2
2017-03-25 07:26 dregad Target Version => 1.3.9
2017-03-25 07:26 dregad Note Added: 0056194
2017-03-25 10:27 dregad Note Edited: 0056194 View Revisions
2017-03-29 12:32 dregad Note Added: 0056266
2017-03-30 02:36 dregad Assigned To => dregad
2017-03-30 02:36 dregad Status confirmed => assigned
2017-03-30 02:36 dregad Summary XSS in adm_config_report.php => CVE-2017-7309: XSS in adm_config_report.php
2017-03-30 11:44 dregad File Added: 0001-Fix-XSS-in-adm_config_report.php.patch-1.3.x
2017-03-30 11:44 dregad File Added: 0001-Fix-XSS-in-adm_config_report.php.patch-2.x
2017-03-30 11:44 dregad Note Added: 0056280
2017-03-30 11:47 dregad Issue cloned: 0022612
2017-03-30 11:47 dregad Relationship added parent of 0022612
2017-03-30 11:50 dregad Issue cloned: 0022613
2017-03-30 11:50 dregad Relationship added parent of 0022613
2017-03-30 12:04 dregad Changeset attached => MantisBT master-1.3.x c9e5b1d0
2017-03-30 12:04 dregad Status assigned => resolved
2017-03-30 12:04 dregad Resolution open => fixed
2017-03-30 12:04 dregad Fixed in Version => 1.3.9
2017-03-30 12:04 dregad Changeset attached => MantisBT master-2.1 0243375e
2017-03-30 12:05 dregad Changeset attached => MantisBT master-2.2 e881dd79
2017-03-30 12:15 dregad View Status private => public
2017-03-30 22:04 YelinAndZhangdongsheng Note Added: 0056293
2017-03-31 03:58 dregad Note Added: 0056294
2017-04-01 00:13 vboctoradmin Status resolved => closed