View Issue Details

IDProjectCategoryView StatusLast Update
0022497mantisbtsecuritypublic2017-03-30 02:33
Reporterelandais Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.1.0 
Target Version2.2.1Fixed in Version2.2.1 
Summary0022497: CVE-2017-6799: XSS in view_filters_page.php
Description

Cross-Site Scripting Vulnerability in 'view_filters_page.php' page.

The /view_filters_page.php page 'view_type' parameter in MantisBT is vulnerable to a cross-site scripting vulnerability when Javascript is supplied via GET or POST request.

The exploitation example below uses the "alert()" JavaScript function to display "XSS" word.

Steps To Reproduce

REQUEST :

GET /view_filters_page.php?view_type=closev2lx8%22%3E%3Cscript%3Ealert%28%22Test%20SLCC%22%29%3C%2fscript%3Eyrcxai8ja1g

Parameters :
view_type: closev2lx8"><script>alert("Test SLCC")</script>yrcxai8ja1g

TagsNo tags attached.

Relationships

parent of 0022564 closeddregad CVE-2017-6799: XSS in view_filters_page.php 

Activities

atrol

atrol

2017-03-08 04:59

developer   ~0055980

@elandais, thanks for helping in enhancing MantisBT security.

Please set View Status to private when reporting security related issues.
http://www.mantisbt.org/wiki/doku.php/mantisbt:handling_security_problems

dregad

dregad

2017-03-08 06:44

developer   ~0055986

This issue is present since 1.0.0 (MantisBT master bf18ac3d)

dregad

dregad

2017-03-08 10:04

developer   ~0055997

This issue is present since 1.0.0 (MantisBT master bf18ac3d)

Actually taking back what I just said - this was in fact introduced in MantisBT master 46fddbcb (2.1.0) when that line which guaranteed that the variable could only contain controlled text, was removed as part of refactoring the filter API.

Fixing the XSS is quite straightforward (adding a string_attribute() call prior to displaying $f_view_type), but before I do that, @cproensa I would appreciate your feedback, maybe outputting $t_filter['_view_type'] is the better approach ?

cproensa

cproensa

2017-03-08 18:54

developer   ~0056009

@dregad
yes, using $t_filter['_view_type'] it's the right thing, i think

dregad

dregad

2017-03-09 18:59

developer   ~0056024

Thanks for the feedback @cproensa. Patch is attached.

0001-Fix-XSS-in-view_filters_page.php.patch (1,084 bytes)   
From f8674d34d36aff25e0ab050e5114170255e40fd3 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Fri, 10 Mar 2017 00:24:51 +0100
Subject: [PATCH] Fix XSS in view_filters_page.php

The value of the view_type parameter was not sanitized before being
displayed as a hidden input.

This vulnerability was reported by Etienne Landais.

Fixes #22497
---
 view_filters_page.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/view_filters_page.php b/view_filters_page.php
index bccf4b0..5d80768 100644
--- a/view_filters_page.php
+++ b/view_filters_page.php
@@ -105,7 +105,7 @@ $t_filter = filter_ensure_valid_filter( $t_filter );
 
 	<?php # CSRF protection not required here - form does not result in modifications ?>
 	<input type="hidden" name="type" value="1" />
-	<input type="hidden" name="view_type" value="<?php echo $f_view_type; ?>" />
+	<input type="hidden" name="view_type" value="<?php echo $t_filter['_view_type']; ?>" />
 	<?php
 		if( $f_for_screen == false ) {
 			print '<input type="hidden" name="print" value="1" />';
-- 
1.9.1

dregad

dregad

2017-03-10 03:47

developer   ~0056030

CVE Request 304594 for CVE ID Request sent

Related Changesets

MantisBT: master-2.2 16772514

2017-03-09 18:24:51

dregad

Details Diff
Fix XSS in view_filters_page.php

The value of the view_type parameter was not sanitized before being
displayed as a hidden input.

This vulnerability was reported by Etienne Landais.

Fixes 0022497
Affected Issues
0022497
mod - view_filters_page.php Diff File

MantisBT: master-2.1 f2f85619

2017-03-09 18:24:51

dregad

Details Diff
Fix XSS in view_filters_page.php

The value of the view_type parameter was not sanitized before being
displayed as a hidden input.

This vulnerability was reported by Etienne Landais.

Fixes 0022497
Affected Issues
0022497
mod - view_filters_page.php Diff File