View Issue Details

IDProjectCategoryView StatusLast Update
0022742mantisbtsecuritypublic2017-04-30 14:48
ReporterdregadAssigned Todregad 
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.3.0 
Target Version2.3.2Fixed in Version2.3.2 
Summary0022742: CVE-2017-7897: XSS in timeline_inc.php (affects my_view_page.php and view_user_page.php)
Description

$_SERVER['PHP_SELF'] is not sanitized before being used to generate URLs.

Yes, we have a CSP policy in place, but it can be disabled optionally per application config, and does not include prefixed headers so IE 10/11 would be susceptible as they use X-Content-Security-Policy according to CanIUse.

Steps To Reproduce

Navigate to

  • /view_user_page.php/"><script>alert(1)</script><x
  • /my_view_page.php/"><script>alert(1)</script><x
Additional Information

Initially reported by user quantumpacket in https://github.com/mantisbt/mantisbt/pull/1094

TagsNo tags attached.

Relationships

related to 0022585 closedcproensa Show timeline for specific user 

Activities

dregad

dregad

2017-04-18 10:36

developer   ~0056608

Introduced in 2.3.0 - MantisBT master e2d1de8a

dregad

dregad

2017-04-18 12:44

developer   ~0056611

CVE Request 321514

Related Changesets

MantisBT: master-2.3 a1c71931

2017-04-18 11:49:41

dregad

Details Diff
Fix XSS in timeline_inc.php

Use of $_SERVER['PHP_SELF'] and outputting it as-is allows an attacker
to inject arbitrary JavaScript as part of the URL.

Using SCRIPT_NAME and passing it through string_sanitize_url() instead
prevents the attack.

Fixes 0022742
Fixes https://github.com/mantisbt/mantisbt/pull/1094
mod - core/timeline_inc.php Diff File

Issue History

Date Modified Username Field Change
2017-04-18 10:35 dregad New Issue
2017-04-18 10:36 dregad Assigned To => dregad
2017-04-18 10:36 dregad Status new => confirmed
2017-04-18 10:36 dregad Note Added: 0056608
2017-04-18 10:41 dregad Relationship added related to 0022585
2017-04-18 12:15 dregad Changeset attached => MantisBT master-2.3 a1c71931
2017-04-18 12:15 dregad Status confirmed => resolved
2017-04-18 12:15 dregad Resolution open => fixed
2017-04-18 12:19 dregad Fixed in Version => 2.3.2
2017-04-18 12:26 dregad Summary XSS in timeline_inc.php (affects my_view_page.php and => XSS in timeline_inc.php (affects my_view_page.php and view_user_page.php)
2017-04-18 12:35 dregad View Status private => public
2017-04-18 12:44 dregad Note Added: 0056611
2017-04-18 13:26 dregad Summary XSS in timeline_inc.php (affects my_view_page.php and view_user_page.php) => CVE-2017-7897: XSS in timeline_inc.php (affects my_view_page.php and view_user_page.php)
2017-04-30 14:48 vboctor Status resolved => closed