View Issue Details

IDProjectCategoryView StatusLast Update
0008679mantisbtsecuritypublic2012-10-05 15:06
Reporterseiji Assigned Tovboctor  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
PlatformPHP 5.2.5OSGentoo LinuxOS Version
Product Version1.1.0rc3 
Target Version1.1.0Fixed in Version1.1.0 
Summary0008679: XSS Vulnerability in view.php , Attached Files
Description

There is a possibility that XSS occurs in "Attached Files" in view.php.

See attached file.

Steps To Reproduce
  1. create file on Linux.

    echo "111" >> "<h1>XSS"

  2. upload it.
  3. go to View issue and click the issue.
Additional Information

This is rare case.

TagsNo tags attached.

Activities

2007-12-19 08:21

 

xss_before.png (9,068 bytes)
xss_before.png (9,068 bytes)

2007-12-19 08:24

 

file_api.php.patch (586 bytes)
Index: core/file_api.php
===================================================================
--- core/file_api.php	(リビジョン 4833)
+++ core/file_api.php	(作業コピー)
@@ -163,7 +163,7 @@
 			$row = $t_attachment_rows[$i];
 			extract( $row, EXTR_PREFIX_ALL, 'v' );
 
-			$t_file_display_name = file_get_display_name( $v_filename );
+			$t_file_display_name = string_html_specialchars( file_get_display_name( $v_filename ) );
 			$t_filesize		= number_format( $v_filesize );
 			$t_date_added	= date( config_get( 'normal_date_format' ), db_unixtimestamp( $v_date_added ) );
 
file_api.php.patch (586 bytes)
vboctor

vboctor

2007-12-21 04:19

manager   ~0016494

The fix implement in Mantis 1.1.0 is to use the following line:

$t_file_display_name = string_display_line( file_get_display_name( $v_filename ) );

See the existing patch to see the context of the change.

giallu

giallu

2008-01-27 17:47

reporter   ~0016855

Security advisories:
http://secunia.com/advisories/28185/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6611

Issue History

Date Modified Username Field Change
2007-12-19 08:21 seiji New Issue
2007-12-19 08:21 seiji File Added: xss_before.png
2007-12-19 08:24 seiji File Added: file_api.php.patch
2007-12-19 11:03 vboctor Target Version => 1.1.0rc4
2007-12-20 00:49 vboctor Status new => resolved
2007-12-20 00:49 vboctor Fixed in Version => 1.1.0rc4
2007-12-20 00:49 vboctor Resolution open => fixed
2007-12-20 00:49 vboctor Assigned To => vboctor
2007-12-20 01:35 vboctor Status resolved => closed
2007-12-21 04:19 vboctor Note Added: 0016494
2007-12-21 04:19 vboctor View Status private => public
2008-01-27 17:47 giallu Note Added: 0016855
2011-06-27 09:02 442832953 Tag Attached: 100265
2012-10-05 15:06 atrol Tag Detached: 100265