View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0024608 | mantisbt | security | public | 2018-07-13 08:44 | 2018-07-30 01:11 |
Reporter | teunb | Assigned To | atrol | ||
Priority | normal | Severity | major | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 2.1.0 | ||||
Target Version | 2.15.1 | Fixed in Version | 2.15.1 | ||
Summary | 0024608: CVE-2018-14504: XSS in edit filters page | ||||
Description | If I save a filter and name it something like: foobar" onclick="alert(1) the onclick is rendered as html if I go to the edit filter page under manage filters(manage_filter_edit_page.php from manage_filter_page.php). Since CSP headers are set correctly this is not an immediate issue, but still one you probably want to fix in case someone finds some creative way to get around that. | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Thanks @teunb for reporting this issue. Please check if applying the attached patch fixes the issue. 24608-xss.patch (1,026 bytes)
From 9426c94d7bddeff10c8058471b0cfaef6e4fb60f Mon Sep 17 00:00:00 2001 From: Roland Becker <roland@atrol.de> Date: Fri, 13 Jul 2018 15:18:46 +0200 Subject: [PATCH] Fix XSS vulnerability on filter edit page Fixes #24608 --- manage_filter_edit_page.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manage_filter_edit_page.php b/manage_filter_edit_page.php index 074ca14bd..9478d059c 100644 --- a/manage_filter_edit_page.php +++ b/manage_filter_edit_page.php @@ -124,7 +124,7 @@ $t_filter_project_id = filter_get_field( $f_filter_id, 'project_id' ); <div class="form-inline"> <label> <?php echo lang_get( 'query_name' ) ?> - <input type="text" size="25" name="filter_name" maxlength="64" value="<?php echo filter_get_field( $f_filter_id, 'name' ) ?>"> + <input type="text" size="25" name="filter_name" maxlength="64" value="<?php echo string_display_line( filter_get_field( $f_filter_id, 'name' ) ) ?>"> </label> </div> </div> -- 2.18.0 |
|
Unfortunately I'm not the one who manages the mantis instance I tested this on, so I can't test if the patch fixes things without deploying an entirely new mantis instance somewhere on a server that I do manage. The code looks like it should fix the issue though. |
|
I updated the product and target versions. Note: I don't have time to actually test and confirm whether 2.1.0 is actually the earliest affected release, this is just an assumption based on the fact that there was a major refactoring of the filters, which most likely introduced this vulnerability. |
|
CVE Request 541329 sent. @teunb let me know if you would like to be credited for the finding, and if so, how (full name, company, e-mail, web site, etc) |
|
@dregad credit by full name only is fine: Teun Beijers. Thanks for fixing this bug in a timely manner! |
|
CVE-2018-14504 assigned |
|
MantisBT: master-2.15 8b5fa243 2018-07-13 05:18 Details Diff |
Fix XSS on filter edit page (CVE-2018-14504) Teun Beijers reported a cross-site scripting (XSS) vulnerability in the Edit Filter page which allows execution of arbitrary code (if CSP settings permit it) when displaying a filter with a crafted name. Prevent the attack by sanitizing the filter name before display. Fixes 0024608 |
Affected Issues 0024608 |
|
mod - manage_filter_edit_page.php | Diff File |