View Issue Details

IDProjectCategoryView StatusLast Update
0022742mantisbtsecuritypublic2017-04-30 14:48
Reporterdregad Assigned Todregad  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.3.0 
Target Version2.3.2Fixed in Version2.3.2 
Summary0022742: CVE-2017-7897: XSS in timeline_inc.php (affects my_view_page.php and view_user_page.php)
Description

$_SERVER['PHP_SELF'] is not sanitized before being used to generate URLs.

Yes, we have a CSP policy in place, but it can be disabled optionally per application config, and does not include prefixed headers so IE 10/11 would be susceptible as they use X-Content-Security-Policy according to CanIUse.

Steps To Reproduce

Navigate to

  • /view_user_page.php/"><script>alert(1)</script><x
  • /my_view_page.php/"><script>alert(1)</script><x
Additional Information

Initially reported by user quantumpacket in https://github.com/mantisbt/mantisbt/pull/1094

TagsNo tags attached.

Relationships

related to 0022585 closedcproensa Show timeline for specific user 

Activities

dregad

dregad

2017-04-18 10:36

developer   ~0056608

Introduced in 2.3.0 - MantisBT master e2d1de8a

dregad

dregad

2017-04-18 12:44

developer   ~0056611

CVE Request 321514

Related Changesets

MantisBT: master-2.3 a1c71931

2017-04-18 11:49:41

dregad

Details Diff
Fix XSS in timeline_inc.php

Use of $_SERVER['PHP_SELF'] and outputting it as-is allows an attacker
to inject arbitrary JavaScript as part of the URL.

Using SCRIPT_NAME and passing it through string_sanitize_url() instead
prevents the attack.

Fixes 0022742
Fixes https://github.com/mantisbt/mantisbt/pull/1094
Affected Issues
0022742
mod - core/timeline_inc.php Diff File