View Issue Details

IDProjectCategoryView StatusLast Update
0022579mantisbtsecuritypublic2017-04-01 00:13
ReporterYelinAndZhangdongsheng Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.0-rc.2 
Target Version1.3.9Fixed in Version1.3.9 
Summary0022579: CVE-2017-7309: XSS in adm_config_report.php
Description

Cross-Site Scripting Vulnerability in 'adm_config_report.php' page.

The /adm_config_report.php page 'config_option' parameter in MantisBT is vulnerable to a cross-site scripting vulnerability when Javascript is supplied via GET or POST request.

The exploitation example below uses the "alert()" JavaScript function to display "XSS" word.

Steps To Reproduce

Install the latest Mantisbt with all default settings. Log in as administrator
Navigate to the URL:
http://mantisServer/adm_config_report.php?config_option="><script>alert('XSSVenusTech')</script>

Unexpected result:
There is a popup wizard saying 'XSSVenusTech'

Additional Information

You are highly appreciated to confirm and log a CVE for this issue.
Reporter:
Yelin and Zhangdongsheng from VenusTech (http://www.venustech.com.cn)

TagsNo tags attached.

Relationships

related to 0022537 closeddregad CVE-2017-6973: XSS in adm_config_report.php 
parent of 0022612 closeddregad CVE-2017-7309: XSS in adm_config_report.php 
parent of 0022613 closeddregad CVE-2017-7309: XSS in adm_config_report.php 
related to 0020058 closedcproensa Updating config items in configuration report adds new ones 

Activities

dregad

dregad

2017-03-25 07:26

developer   ~0056194

Last edited: 2017-03-25 10:27

Introduced as part of MantisBT master 13bda674 (issue 0020058)

dregad

dregad

2017-03-29 12:32

developer   ~0056266

CVE Request 313160

dregad

dregad

2017-03-30 11:44

developer   ~0056280

@YelinAndZhangdongsheng the attached patch (for 1.3.0 and 2.2 branches) resolves the issue.

YelinAndZhangdongsheng

YelinAndZhangdongsheng

2017-03-30 22:04

reporter   ~0056293

Yes. Neat fix.
We confirmed the output escaping counteracted this 'config_option' attack vector.
Bests,
Yelin and Zhangdongsheng

dregad

dregad

2017-03-31 03:58

developer   ~0056294

Thanks for the feedback. FYI, I announced the CVE's on the Open-Source Security mailing list last night.
http://www.openwall.com/lists/oss-security/2017/03/30/4

Related Changesets

MantisBT: master-1.3.x c9e5b1d0

2017-03-25 10:23:51

dregad

Details Diff
Fix XSS in adm_config_report.php

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Configuration Report page, allowing an
attacker to inject arbitrary code through a crafted 'config_option'
parameter.

Sanitize the parameter prior to output, to ensure HTML special
characters are properly escaped.

Fixes 0022579
Affected Issues
0022579
mod - adm_config_report.php Diff File

MantisBT: master-2.1 0243375e

2017-03-25 10:23:51

dregad

Details Diff
Fix XSS in adm_config_report.php

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Configuration Report page, allowing an
attacker to inject arbitrary code through a crafted 'config_option'
parameter.

Sanitize the parameter prior to output, to ensure HTML special
characters are properly escaped.

Ported from 1.3.x commit c9e5b1d0404503022605459552faeaf610bf15ae.

Fixes 0022579
Affected Issues
0022579
mod - adm_config_report.php Diff File

MantisBT: master-2.2 e881dd79

2017-03-25 10:23:51

dregad

Details Diff
Fix XSS in adm_config_report.php

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Configuration Report page, allowing an
attacker to inject arbitrary code through a crafted 'config_option'
parameter.

Sanitize the parameter prior to output, to ensure HTML special
characters are properly escaped.

Ported from 1.3.x commit c9e5b1d0404503022605459552faeaf610bf15ae.

Fixes 0022579
Affected Issues
0022579
mod - adm_config_report.php Diff File