View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0023146 | mantisbt | security | public | 2017-07-24 01:30 | 2017-09-03 18:41 |
Reporter | iamsecurity | Assigned To | dregad | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2.0.0-beta.1 | ||||
Target Version | 2.5.2 | Fixed in Version | 2.5.2 | ||
Summary | 0023146: CVE-2017-12061: XSS in /admin/install.php script | ||||
Description | Some variables like $f_database, $f_db_username and $f_admin_username are under user control and don't sanitize well when displayed in error messages. /admin/install.php: Because "admin" folder is accessed by anyone and not moved or denied after successfully Mantis installation many servers have that issue. | ||||
Steps To Reproduce | Browse to URLs: http://mantis.server/admin/install.php?install=3&database_name=%3Ch1%3EXSS&admin_username=%3Ch1%3EXSS | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
I confirm the issues in general, but I am wondering which browser you are using. |
|
The admin folder should be deleted as soon as MantisBT is installed. We should fix this issue, but having admin folder available after installation probably has other security issues. |
|
I am requesting a CVE ID to be assigned for this issue. @iamsecurity please let us know how you would like to be credited for the finding |
|
CVE-2017-12061 has been assigned [scr368900] |
|
The issue is also present in 1.3.11 and earlier. Tracking in 0023175 |
|
OSS security mailing list posting http://www.openwall.com/lists/oss-security/2017/08/01/1 |
|
MantisBT: master-2.5 c73ae3d3 2017-08-01 03:00 Details Diff |
Fix XSS in install.php (CVE-2017-12061) aLLy from ONSEC (https://twitter.com/IamSecurity) reported this vulnerability, allowing an attacker to inject arbitrary code through crafted forms variables. Sanitizing the database error message prior to output prevents the attack. Fixes 0023146 |
Affected Issues 0023146 |
|
mod - admin/install.php | Diff File | ||
MantisBT: master-1.3.x 17f9b94f 2017-08-01 03:00 Details Diff |
Fix XSS in install.php (CVE-2017-12061) aLLy from ONSEC (https://twitter.com/IamSecurity) reported this vulnerability, allowing an attacker to inject arbitrary code through crafted forms variables. Sanitizing the database error message prior to output prevents the attack. Fixes 0023146 Backported from c73ae3d3d4dd4681489a9e697e8ade785e27cba5 |
Affected Issues 0023146, 0023175 |
|
mod - admin/install.php | Diff File |