View Issue Details

IDProjectCategoryView StatusLast Update
0022537mantisbtsecuritypublic2017-03-31 04:01
ReporterYelinAndZhangdongsheng Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.0-rc.2 
Target Version1.3.8Fixed in Version1.3.8 
Summary0022537: CVE-2017-6973: XSS in adm_config_report.php
Description

Cross-Site Scripting Vulnerability in 'adm_config_report.php' page.

The /adm_config_report.php page 'action' parameter in MantisBT is vulnerable to a cross-site scripting vulnerability when Javascript is supplied via GET or POST request.

The exploitation example below uses the "alert()" JavaScript function to display "XSS" word.

Steps To Reproduce

Steps:
Install the latest Mantisbt with all default settings. Log in as administrator/root
Navigate to the URL:
http://mantisServerIP/adm_config_report.php?action="><script>alert("XSSvenusTech")</script>

Unexpected result:
There is a popup wizard saying 'XSSvenusTech'

Additional Information

You are highly appreciated to confirm and log a CVE for this issue, Similar to CVE-2017-6797 and CVE-2017-6799,

Fix suggestion:
modify the adm_config_report.php
replace:
<input type="hidden" name="action" value="<?php echo $t_edit_action; ?>" />
with
<input type="hidden" name="action" value="<?php echo string_attribute($t_edit_action); ?>" />

Reportor:
Yelin and Zhangdongsheng from VenusTech

TagsNo tags attached.

Relationships

related to 0020058 closedcproensa Updating config items in configuration report adds new ones 
parent of 0022562 closeddregad CVE-2017-6973: XSS in adm_config_report.php 
parent of 0022565 closeddregad CVE-2017-6973: XSS in adm_config_report.php 
related to 0022579 closeddregad CVE-2017-7309: XSS in adm_config_report.php 

Activities

dregad

dregad

2017-03-17 07:55

developer   ~0056101

Regression introduced in 1.3.0-rc.2, see 0020058

dregad

dregad

2017-03-17 11:12

developer   ~0056105

Last edited: 2017-03-17 11:13

@YelinAndZhangdongsheng kindly review the attached patch (against master branch - I will backport it to 1.3.x as well) and confirm it resolves the issue.

I will take care of requesting the CVE.

0001-Fix-XSS-in-adm_config_report.php-s-action-parameter.patch (4,270 bytes)   
From 39e66bf05a807865f8f73d09596391d3e4d70be7 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Fri, 17 Mar 2017 15:09:09 +0100
Subject: [PATCH] Fix XSS in adm_config_report.php's action parameter

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Configuration Report page, allowing an
attacker to inject arbitrary code through a crafted 'action' parameter.

Define a new set of constants (MANAGE_CONFIG_ACTION_*) replacing the
hardcoded strings used in adm_config_report.php and adm_config_set.php.

Sanitize the 'action' parameter to ensure it is only set to one of the
allowed values

Fixes #22537
---
 adm_config_report.php | 20 +++++++++++++++-----
 adm_config_set.php    |  2 +-
 core/constant_inc.php |  4 ++++
 3 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/adm_config_report.php b/adm_config_report.php
index 8c0f017..37e8189 100644
--- a/adm_config_report.php
+++ b/adm_config_report.php
@@ -218,7 +218,17 @@ $t_edit_project_id      = gpc_get_int( 'project_id', $t_filter_project_value ==
 $t_edit_option          = gpc_get_string( 'config_option', $t_filter_config_value == META_FILTER_NONE ? '' : $t_filter_config_value );
 $t_edit_type            = gpc_get_string( 'type', CONFIG_TYPE_DEFAULT );
 $t_edit_value           = gpc_get_string( 'value', '' );
-$t_edit_action          = gpc_get_string( 'action', 'action_create' );
+
+$f_edit_action          = gpc_get_string( 'action', MANAGE_CONFIG_ACTION_CREATE );
+# Ensure we exclusively use one of the defined, valid actions (XSS protection)
+$t_valid_actions = array(
+	MANAGE_CONFIG_ACTION_CREATE,
+	MANAGE_CONFIG_ACTION_CLONE,
+	MANAGE_CONFIG_ACTION_EDIT
+);
+$t_edit_action = in_array( $f_edit_action, $t_valid_actions )
+	? $f_edit_action
+	: MANAGE_CONFIG_ACTION_CREATE;
 
 # Apply filters
 
@@ -443,7 +453,7 @@ while( $t_row = db_fetch_array( $t_result ) ) {
 					'config_option' => $v_config_id,
 					'type'          => $v_type,
 					'value'         => $v_value,
-					'action'        => 'action_edit',
+					'action'        => MANAGE_CONFIG_ACTION_EDIT,
 				),
 				OFF );
 			echo '</div>';
@@ -459,7 +469,7 @@ while( $t_row = db_fetch_array( $t_result ) ) {
 					'config_option' => $v_config_id,
 					'type'          => $v_type,
 					'value'         => $v_value,
-					'action'        => 'action_clone',
+					'action'        => MANAGE_CONFIG_ACTION_CLONE,
 				),
 				OFF );
 			echo '</div>';
@@ -514,7 +524,7 @@ if( $t_read_write_access ) {
 		<div class="widget-header widget-header-small">
 		<h4 class="widget-title lighter">
 			<i class="ace-icon fa fa-sliders"></i>
-			<?php echo lang_get( 'set_configuration_option_' . $t_edit_action ) ?>
+			<?php echo lang_get( 'set_configuration_option_action_' . $t_edit_action ) ?>
 			</h4>
 		</div>
 
@@ -605,7 +615,7 @@ if( $t_read_write_access ) {
 		<div class="widget-toolbox padding-4 clearfix">
 			<input type="hidden" name="action" value="<?php echo $t_edit_action; ?>" />
 			<input type="submit" name="config_set" class="btn btn-primary btn-white btn-round"
-				value="<?php echo lang_get( 'set_configuration_option_' . $t_edit_action ) ?>"/>
+				value="<?php echo lang_get( 'set_configuration_option_action_' . $t_edit_action ) ?>"/>
 		</div>
 	</div>
 	</div>
diff --git a/adm_config_set.php b/adm_config_set.php
index 23c8947..c9e41e9 100644
--- a/adm_config_set.php
+++ b/adm_config_set.php
@@ -134,7 +134,7 @@ if( $t_type != CONFIG_TYPE_STRING ) {
 	}
 }
 
-if( 'action_edit' === $f_edit_action ){
+if( MANAGE_CONFIG_ACTION_EDIT === $f_edit_action ){
 	# EDIT action doesn't keep original if key values are different.
 	if ( $f_original_config_option !== $f_config_option
 			|| $f_original_user_id !== $f_user_id
diff --git a/core/constant_inc.php b/core/constant_inc.php
index ffd3665..fd3f26c 100644
--- a/core/constant_inc.php
+++ b/core/constant_inc.php
@@ -655,3 +655,7 @@ define( 'EXPORT_BLOCK_SIZE', 500 );
 # types, 2^31 is a safe limit to be used for all.
 define( 'DB_MAX_INT', 2147483647 );
 
+# Configuration management actions (adm_config_report.php)
+define( 'MANAGE_CONFIG_ACTION_CREATE', 'create' );
+define( 'MANAGE_CONFIG_ACTION_CLONE', 'clone' );
+define( 'MANAGE_CONFIG_ACTION_EDIT', 'edit' );
-- 
1.9.1

dregad

dregad

2017-03-17 11:49

developer   ~0056106

CVE Request 307635

YelinAndZhangdongsheng

YelinAndZhangdongsheng

2017-03-17 19:25

reporter   ~0056108

Good job Damien.
We confirmed that the taint 'action' parameter is sanitized by the patch's White list validation.
We keep on pivoting Mantis security issues.
When we insights, we will share.
Bests,
Yelin and Zhangdongsheng

dregad

dregad

2017-03-18 05:30

developer   ~0056109

Many thanks for the feedback and your contribution in improving security in MantisBT, it is greatly appreciated.

dregad

dregad

2017-03-31 04:01

developer   ~0056296

OSS-security mailing list announcement http://www.openwall.com/lists/oss-security/2017/03/30/4

Related Changesets

MantisBT: master-1.3.x 034cd07b

2017-03-17 09:20:14

dregad

Details Diff
Fix XSS in adm_config_report.php's action parameter

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Configuration Report page, allowing an
attacker to inject arbitrary code through a crafted 'action' parameter.

Define a new set of constants (MANAGE_CONFIG_ACTION_*) replacing the
hardcoded strings used in adm_config_report.php and adm_config_set.php.

Sanitize the 'action' parameter to ensure it is only set to one of the
allowed values

Fixes 0022537
Affected Issues
0022537
mod - adm_config_report.php Diff File
mod - adm_config_set.php Diff File
mod - core/constant_inc.php Diff File

MantisBT: master-2.2 da74c5aa

2017-03-17 10:09:09

dregad

Details Diff
Fix XSS in adm_config_report.php's action parameter

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Configuration Report page, allowing an
attacker to inject arbitrary code through a crafted 'action' parameter.

Define a new set of constants (MANAGE_CONFIG_ACTION_*) replacing the
hardcoded strings used in adm_config_report.php and adm_config_set.php.

Sanitize the 'action' parameter to ensure it is only set to one of the
allowed values

Fixes 0022537
Affected Issues
0022537
mod - adm_config_report.php Diff File
mod - adm_config_set.php Diff File
mod - core/constant_inc.php Diff File

MantisBT: master-2.1 15e52e84

2017-03-17 10:09:09

dregad

Details Diff
Fix XSS in adm_config_report.php's action parameter

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Configuration Report page, allowing an
attacker to inject arbitrary code through a crafted 'action' parameter.

Define a new set of constants (MANAGE_CONFIG_ACTION_*) replacing the
hardcoded strings used in adm_config_report.php and adm_config_set.php.

Sanitize the 'action' parameter to ensure it is only set to one of the
allowed values

Fixes 0022537
Affected Issues
0022537
mod - adm_config_report.php Diff File
mod - adm_config_set.php Diff File
mod - core/constant_inc.php Diff File