View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0029688mantisbtsecuritypublic2022-02-25 17:222022-04-13 12:10
Reporterdregad Assigned Todregad  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.25.0 
Target Version2.25.3Fixed in Version2.25.3 
Summary0029688: CVE-2022-26144: XSS in manage_plugin_page.php and manage_plugin_uninstall.php
Description

Improper escaping of Plugin name allows execution of arbitrary code (if CSP allows it) when a crafted plugin is installed.

Steps To Reproduce
  1. Create a plugin with 
    class AttackPlugin extends MantisPlugin {
public function register() {
    $this->name = 'The Number of the Beast<script>alert("xss")</script>';
    $this->version = 666;
    $this->requires = array( "MantisCore" => "2.0.0" );
}
}
  2. Install the plugin's code
  3. Go to manage_plugin_page.php => XSS
  4. Install the plugin => XSS
  5. Uninstall the plugin => XSS in manage_plugin_uninstall.php
TagsNo tags attached.

Relationships

related to 0012231 closeddhx XSS vulnerability when uninstalling maliciously named plugins 
related to 0026142 closeddregad Improve handling of invalid / incorrectly installed plugins 

Activities

dregad

dregad

2022-02-26 01:58

developer   ~0066307

CVE-2022-26144 assigned

atrol

atrol

2022-02-26 05:25

developer   ~0066308

We are executing arbitrary plugin code that can't be controlled by us, as there is no sandbox concept for plugins.
This means that you have to trust the whole plugin code.

@dregad not sure I am missing something.
Do you confirm that preventing the output of a crafted plugin name is just a minor security measure and not a hurdle for the real bad guys?
dregad

dregad

2022-03-01 02:26

developer   ~0066316

This means that you have to trust the whole plugin code.

Yes of course, there is always such a risk when executing foreign code in your environment.

Actually this XSS is a regression that I introduced with MantisBT master 11a6d0de (see 0026142) so I thought it should at least be corrected (the vulnerability it was originally fixed in 0012231).

preventing the output of a crafted plugin name is just a minor security measure

That's exactly what this is.

not a hurdle for the real bad guys

Not really sure what you mean by that though...
atrol

atrol

2022-03-01 16:40

developer   ~0066317

Not really sure what you mean by that though...

Attackers (bad guys) don't rely on the non-sanitized plugin name to inject code.
It's an easy job for them to find / use one of many other available options to execute malicious code in a plugin.

Related Changesets

MantisBT: master-2.25 a7751c3e

2022-02-25 17:01

dregad


Details Diff		 Fix XSS when displaying plugin name

Improper escaping of the plugin name allows attacker to inject code in
manage_plugin_page.php and manage_plugin_uninstall.php.

Fixes 0029688		 Affected Issues
0029688
mod - manage_plugin_page.php Diff File
mod - manage_plugin_uninstall.php Diff File