View Issue Details

IDProjectCategoryView StatusLast Update
0022537mantisbtsecuritypublic2017-03-21 20:05
ReporterYelinAndZhangdongshengAssigned Todregad 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.0-rc.2 
Target Version1.3.8Fixed in Version1.3.8 
Summary0022537: CVE-2017-6973: XSS in adm_config_report.php
Description

Cross-Site Scripting Vulnerability in 'adm_config_report.php' page.

The /adm_config_report.php page 'action' parameter in MantisBT is vulnerable to a cross-site scripting vulnerability when Javascript is supplied via GET or POST request.

The exploitation example below uses the "alert()" JavaScript function to display "XSS" word.

Steps To Reproduce

Steps:
Install the latest Mantisbt with all default settings. Log in as administrator/root
Navigate to the URL:
http://mantisServerIP/adm_config_report.php?action="><script>alert("XSSvenusTech")</script>

Unexpected result:
There is a popup wizard saying 'XSSvenusTech'

Additional Information

You are highly appreciated to confirm and log a CVE for this issue, Similar to CVE-2017-6797 and CVE-2017-6799,

Fix suggestion:
modify the adm_config_report.php
replace:
<input type="hidden" name="action" value="<?php echo $t_edit_action; ?>" />
with
<input type="hidden" name="action" value="<?php echo string_attribute($t_edit_action); ?>" />

Reportor:
Yelin and Zhangdongsheng from VenusTech

TagsNo tags attached.

Relationships

related to 0020058 closedcproensa Updating config items in configuration report adds new ones 
parent of 0022562 closeddregad CVE-2017-6973: XSS in adm_config_report.php 
parent of 0022565 closeddregad CVE-2017-6973: XSS in adm_config_report.php 

Activities

dregad

dregad

2017-03-17 07:55

developer   ~0056101

Regression introduced in 1.3.0-rc.2, see 0020058

dregad

dregad

2017-03-17 11:12

developer   ~0056105

Last edited: 2017-03-17 11:13

View 2 revisions

@YelinAndZhangdongsheng kindly review the attached patch (against master branch - I will backport it to 1.3.x as well) and confirm it resolves the issue.

I will take care of requesting the CVE.



0001-Fix-XSS-in-adm_config_report.php-s-action-parameter.patch (4,270 bytes)
From 39e66bf05a807865f8f73d09596391d3e4d70be7 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Fri, 17 Mar 2017 15:09:09 +0100
Subject: [PATCH] Fix XSS in adm_config_report.php's action parameter

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Configuration Report page, allowing an
attacker to inject arbitrary code through a crafted 'action' parameter.

Define a new set of constants (MANAGE_CONFIG_ACTION_*) replacing the
hardcoded strings used in adm_config_report.php and adm_config_set.php.

Sanitize the 'action' parameter to ensure it is only set to one of the
allowed values

Fixes #22537
---
 adm_config_report.php | 20 +++++++++++++++-----
 adm_config_set.php    |  2 +-
 core/constant_inc.php |  4 ++++
 3 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/adm_config_report.php b/adm_config_report.php
index 8c0f017..37e8189 100644
--- a/adm_config_report.php
+++ b/adm_config_report.php
@@ -218,7 +218,17 @@ $t_edit_project_id      = gpc_get_int( 'project_id', $t_filter_project_value ==
 $t_edit_option          = gpc_get_string( 'config_option', $t_filter_config_value == META_FILTER_NONE ? '' : $t_filter_config_value );
 $t_edit_type            = gpc_get_string( 'type', CONFIG_TYPE_DEFAULT );
 $t_edit_value           = gpc_get_string( 'value', '' );
-$t_edit_action          = gpc_get_string( 'action', 'action_create' );
+
+$f_edit_action          = gpc_get_string( 'action', MANAGE_CONFIG_ACTION_CREATE );
+# Ensure we exclusively use one of the defined, valid actions (XSS protection)
+$t_valid_actions = array(
+	MANAGE_CONFIG_ACTION_CREATE,
+	MANAGE_CONFIG_ACTION_CLONE,
+	MANAGE_CONFIG_ACTION_EDIT
+);
+$t_edit_action = in_array( $f_edit_action, $t_valid_actions )
+	? $f_edit_action
+	: MANAGE_CONFIG_ACTION_CREATE;
 
 # Apply filters
 
@@ -443,7 +453,7 @@ while( $t_row = db_fetch_array( $t_result ) ) {
 					'config_option' => $v_config_id,
 					'type'          => $v_type,
 					'value'         => $v_value,
-					'action'        => 'action_edit',
+					'action'        => MANAGE_CONFIG_ACTION_EDIT,
 				),
 				OFF );
 			echo '</div>';
@@ -459,7 +469,7 @@ while( $t_row = db_fetch_array( $t_result ) ) {
 					'config_option' => $v_config_id,
 					'type'          => $v_type,
 					'value'         => $v_value,
-					'action'        => 'action_clone',
+					'action'        => MANAGE_CONFIG_ACTION_CLONE,
 				),
 				OFF );
 			echo '</div>';
@@ -514,7 +524,7 @@ if( $t_read_write_access ) {
 		<div class="widget-header widget-header-small">
 		<h4 class="widget-title lighter">
 			<i class="ace-icon fa fa-sliders"></i>
-			<?php echo lang_get( 'set_configuration_option_' . $t_edit_action ) ?>
+			<?php echo lang_get( 'set_configuration_option_action_' . $t_edit_action ) ?>
 			</h4>
 		</div>
 
@@ -605,7 +615,7 @@ if( $t_read_write_access ) {
 		<div class="widget-toolbox padding-4 clearfix">
 			<input type="hidden" name="action" value="<?php echo $t_edit_action; ?>" />
 			<input type="submit" name="config_set" class="btn btn-primary btn-white btn-round"
-				value="<?php echo lang_get( 'set_configuration_option_' . $t_edit_action ) ?>"/>
+				value="<?php echo lang_get( 'set_configuration_option_action_' . $t_edit_action ) ?>"/>
 		</div>
 	</div>
 	</div>
diff --git a/adm_config_set.php b/adm_config_set.php
index 23c8947..c9e41e9 100644
--- a/adm_config_set.php
+++ b/adm_config_set.php
@@ -134,7 +134,7 @@ if( $t_type != CONFIG_TYPE_STRING ) {
 	}
 }
 
-if( 'action_edit' === $f_edit_action ){
+if( MANAGE_CONFIG_ACTION_EDIT === $f_edit_action ){
 	# EDIT action doesn't keep original if key values are different.
 	if ( $f_original_config_option !== $f_config_option
 			|| $f_original_user_id !== $f_user_id
diff --git a/core/constant_inc.php b/core/constant_inc.php
index ffd3665..fd3f26c 100644
--- a/core/constant_inc.php
+++ b/core/constant_inc.php
@@ -655,3 +655,7 @@ define( 'EXPORT_BLOCK_SIZE', 500 );
 # types, 2^31 is a safe limit to be used for all.
 define( 'DB_MAX_INT', 2147483647 );
 
+# Configuration management actions (adm_config_report.php)
+define( 'MANAGE_CONFIG_ACTION_CREATE', 'create' );
+define( 'MANAGE_CONFIG_ACTION_CLONE', 'clone' );
+define( 'MANAGE_CONFIG_ACTION_EDIT', 'edit' );
-- 
1.9.1

dregad

dregad

2017-03-17 11:49

developer   ~0056106

CVE Request 307635

YelinAndZhangdongsheng

YelinAndZhangdongsheng

2017-03-17 19:25

reporter   ~0056108

Good job Damien.
We confirmed that the taint 'action' parameter is sanitized by the patch's White list validation.
We keep on pivoting Mantis security issues.
When we insights, we will share.
Bests,
Yelin and Zhangdongsheng

dregad

dregad

2017-03-18 05:30

developer   ~0056109

Many thanks for the feedback and your contribution in improving security in MantisBT, it is greatly appreciated.

Related Changesets

MantisBT: master-1.3.x 034cd07b

2017-03-17 09:20:14

dregad

Details Diff
Fix XSS in adm_config_report.php's action parameter

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Configuration Report page, allowing an
attacker to inject arbitrary code through a crafted 'action' parameter.

Define a new set of constants (MANAGE_CONFIG_ACTION_*) replacing the
hardcoded strings used in adm_config_report.php and adm_config_set.php.

Sanitize the 'action' parameter to ensure it is only set to one of the
allowed values

Fixes 0022537
mod - adm_config_report.php Diff File
mod - adm_config_set.php Diff File
mod - core/constant_inc.php Diff File

MantisBT: master-2.2 da74c5aa

2017-03-17 10:09:09

dregad

Details Diff
Fix XSS in adm_config_report.php's action parameter

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Configuration Report page, allowing an
attacker to inject arbitrary code through a crafted 'action' parameter.

Define a new set of constants (MANAGE_CONFIG_ACTION_*) replacing the
hardcoded strings used in adm_config_report.php and adm_config_set.php.

Sanitize the 'action' parameter to ensure it is only set to one of the
allowed values

Fixes 0022537
mod - adm_config_report.php Diff File
mod - adm_config_set.php Diff File
mod - core/constant_inc.php Diff File

MantisBT: master-2.1 15e52e84

2017-03-17 10:09:09

dregad

Details Diff
Fix XSS in adm_config_report.php's action parameter

Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/
reported a vulnerability in the Configuration Report page, allowing an
attacker to inject arbitrary code through a crafted 'action' parameter.

Define a new set of constants (MANAGE_CONFIG_ACTION_*) replacing the
hardcoded strings used in adm_config_report.php and adm_config_set.php.

Sanitize the 'action' parameter to ensure it is only set to one of the
allowed values

Fixes 0022537
mod - adm_config_report.php Diff File
mod - adm_config_set.php Diff File
mod - core/constant_inc.php Diff File

Issue History

Date Modified Username Field Change
2017-03-17 04:50 YelinAndZhangdongsheng New Issue
2017-03-17 05:03 atrol Status new => confirmed
2017-03-17 07:55 dregad Assigned To => dregad
2017-03-17 07:55 dregad Status confirmed => assigned
2017-03-17 07:55 dregad Note Added: 0056101
2017-03-17 07:56 dregad Severity minor => major
2017-03-17 07:56 dregad Product Version 2.2.1 => 1.3.0-rc.2
2017-03-17 07:56 dregad Target Version => 1.3.8
2017-03-17 07:56 dregad Steps to Reproduce Updated View Revisions
2017-03-17 07:56 dregad Relationship added related to 0020058
2017-03-17 11:12 dregad File Added: 0001-Fix-XSS-in-adm_config_report.php-s-action-parameter.patch
2017-03-17 11:12 dregad Note Added: 0056105
2017-03-17 11:12 dregad Status assigned => feedback
2017-03-17 11:13 dregad Note Edited: 0056105 View Revisions
2017-03-17 11:49 dregad Note Added: 0056106
2017-03-17 13:26 dregad Summary XSS in adm_config_report.php => CVE-2017-6973: XSS in adm_config_report.php
2017-03-17 19:25 YelinAndZhangdongsheng Note Added: 0056108
2017-03-17 19:25 YelinAndZhangdongsheng Status feedback => assigned
2017-03-18 05:30 dregad Note Added: 0056109
2017-03-20 10:59 dregad Changeset attached => MantisBT master-2.2 da74c5aa
2017-03-20 10:59 dregad Status assigned => resolved
2017-03-20 10:59 dregad Resolution open => fixed
2017-03-20 10:59 dregad Fixed in Version => 2.2.2
2017-03-20 10:59 dregad Changeset attached => MantisBT master-1.3.x 034cd07b
2017-03-20 10:59 dregad Changeset attached => MantisBT master-2.1 15e52e84
2017-03-20 11:06 dregad Fixed in Version 2.2.2 => 1.3.8
2017-03-20 11:06 dregad View Status private => public
2017-03-21 18:53 dregad Status resolved => closed
2017-03-21 19:56 dregad Issue cloned: 0022562
2017-03-21 19:56 dregad Relationship added parent of 0022562
2017-03-21 20:05 dregad Relationship added parent of 0022565