View Issue Details

IDProjectCategoryView StatusLast Update
0022497mantisbtsecuritypublic2017-03-30 02:33
ReporterelandaisAssigned Todregad 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.1.0 
Target Version2.2.1Fixed in Version2.2.1 
Summary0022497: CVE-2017-6799: XSS in view_filters_page.php
Description

Cross-Site Scripting Vulnerability in 'view_filters_page.php' page.

The /view_filters_page.php page 'view_type' parameter in MantisBT is vulnerable to a cross-site scripting vulnerability when Javascript is supplied via GET or POST request.

The exploitation example below uses the "alert()" JavaScript function to display "XSS" word.

Steps To Reproduce

REQUEST :

GET /view_filters_page.php?view_type=closev2lx8%22%3E%3Cscript%3Ealert%28%22Test%20SLCC%22%29%3C%2fscript%3Eyrcxai8ja1g

Parameters :
view_type: closev2lx8"><script>alert("Test SLCC")</script>yrcxai8ja1g

TagsNo tags attached.

Relationships

parent of 0022564 closeddregad CVE-2017-6799: XSS in view_filters_page.php 

Activities

atrol

atrol

2017-03-08 04:59

developer   ~0055980

@elandais, thanks for helping in enhancing MantisBT security.

Please set View Status to private when reporting security related issues.
http://www.mantisbt.org/wiki/doku.php/mantisbt:handling_security_problems

dregad

dregad

2017-03-08 06:44

developer   ~0055986

This issue is present since 1.0.0 (:mantisbt:bf18ac3d:)

dregad

dregad

2017-03-08 10:04

developer   ~0055997

This issue is present since 1.0.0 (:mantisbt:bf18ac3d:)

Actually taking back what I just said - this was in fact introduced in MantisBT master 46fddbcb (2.1.0) when that line which guaranteed that the variable could only contain controlled text, was removed as part of refactoring the filter API.

Fixing the XSS is quite straightforward (adding a string_attribute() call prior to displaying $f_view_type), but before I do that, @cproensa I would appreciate your feedback, maybe outputting $t_filter['_view_type'] is the better approach ?

cproensa

cproensa

2017-03-08 18:54

developer   ~0056009

@dregad
yes, using $t_filter['_view_type'] it's the right thing, i think

dregad

dregad

2017-03-09 18:59

developer   ~0056024

Thanks for the feedback @cproensa. Patch is attached.



0001-Fix-XSS-in-view_filters_page.php.patch (1,084 bytes)
From f8674d34d36aff25e0ab050e5114170255e40fd3 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Fri, 10 Mar 2017 00:24:51 +0100
Subject: [PATCH] Fix XSS in view_filters_page.php

The value of the view_type parameter was not sanitized before being
displayed as a hidden input.

This vulnerability was reported by Etienne Landais.

Fixes #22497
---
 view_filters_page.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/view_filters_page.php b/view_filters_page.php
index bccf4b0..5d80768 100644
--- a/view_filters_page.php
+++ b/view_filters_page.php
@@ -105,7 +105,7 @@ $t_filter = filter_ensure_valid_filter( $t_filter );
 
 	<?php # CSRF protection not required here - form does not result in modifications ?>
 	<input type="hidden" name="type" value="1" />
-	<input type="hidden" name="view_type" value="<?php echo $f_view_type; ?>" />
+	<input type="hidden" name="view_type" value="<?php echo $t_filter['_view_type']; ?>" />
 	<?php
 		if( $f_for_screen == false ) {
 			print '<input type="hidden" name="print" value="1" />';
-- 
1.9.1

dregad

dregad

2017-03-10 03:47

developer   ~0056030

CVE Request 304594 for CVE ID Request sent

Related Changesets

MantisBT: master-2.2 16772514

2017-03-09 18:24:51

dregad

Details Diff
Fix XSS in view_filters_page.php

The value of the view_type parameter was not sanitized before being
displayed as a hidden input.

This vulnerability was reported by Etienne Landais.

Fixes 0022497
mod - view_filters_page.php Diff File

MantisBT: master-2.1 f2f85619

2017-03-09 18:24:51

dregad

Details Diff
Fix XSS in view_filters_page.php

The value of the view_type parameter was not sanitized before being
displayed as a hidden input.

This vulnerability was reported by Etienne Landais.

Fixes 0022497
mod - view_filters_page.php Diff File

Issue History

Date Modified Username Field Change
2017-03-08 04:21 elandais New Issue
2017-03-08 04:32 atrol View Status public => private
2017-03-08 04:59 atrol Note Added: 0055980
2017-03-08 06:44 dregad Assigned To => dregad
2017-03-08 06:44 dregad Status new => confirmed
2017-03-08 06:44 dregad Note Added: 0055986
2017-03-08 06:47 dregad Product Version 2.2.0 => 1.3.0-beta.1
2017-03-08 06:47 dregad Target Version => 1.3.7
2017-03-08 06:47 dregad Severity minor => major
2017-03-08 09:12 dregad Summary Cross-Site Scripting Vulnerabilities => XSS in view_filters_page.php
2017-03-08 10:04 dregad Note Added: 0055997
2017-03-08 10:04 dregad Product Version 1.3.0-beta.1 => 2.1.0
2017-03-08 10:04 dregad Target Version 1.3.7 => 2.2.1
2017-03-08 18:54 cproensa Note Added: 0056009
2017-03-09 18:59 dregad File Added: 0001-Fix-XSS-in-view_filters_page.php.patch
2017-03-09 18:59 dregad Note Added: 0056024
2017-03-09 18:59 dregad Status confirmed => assigned
2017-03-10 03:28 dregad Changeset attached => MantisBT master-2.2 16772514
2017-03-10 03:28 dregad Status assigned => resolved
2017-03-10 03:28 dregad Resolution open => fixed
2017-03-10 03:34 dregad Fixed in Version => 2.2.1
2017-03-10 03:34 dregad View Status private => public
2017-03-10 03:47 dregad Note Added: 0056030
2017-03-10 04:42 dregad Summary XSS in view_filters_page.php => CVE-2017-6799 - XSS in view_filters_page.php
2017-03-12 19:23 vboctor Status resolved => closed
2017-03-20 10:59 dregad Changeset attached => MantisBT master-2.1 f2f85619
2017-03-21 20:03 dregad Issue cloned: 0022564
2017-03-21 20:03 dregad Relationship added parent of 0022564
2017-03-30 02:33 dregad Summary CVE-2017-6799 - XSS in view_filters_page.php => CVE-2017-6799: XSS in view_filters_page.php