View Issue Details

IDProjectCategoryView StatusLast Update
0023166mantisbtsecuritypublic2017-09-03 18:41
ReportertrichimtrichAssigned Toatrol 
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.1.0 
Target Version2.5.2Fixed in Version2.5.2 
Summary0023166: CVE-2017-12062: XSS in manage_user_page.php
Description

filter field is not sanitized before being rendered in input tag.

$f_filter = utf8_strtoupper( gpc_get_string( 'filter', config_get( 'default_manage_user_prefix' ) ) );
/* ...
<strip>
... */
<input type="hidden" name="filter" value="<?php echo $f_filter ?>" />

There're also Content-Security-Policy and X-Content-Type, but we can still inject style tag to trigger xss in IE10/11 or user may disable CSP/XCT lead to abusing script tag

Steps To Reproduce

It's a little bit harder because input was formated with strtoupper.
We still can bypass using this payload

http://localhost/mantisbt/manage_user_page.php
?sort=username
&dir=desc
&save=1
&hideinactive=0
&showdisabled=0
&filter=ALL"><SVG ONLOAD=&#97&<a href="/bugs/view.php?id=108" title="[closed] When adding a bugnote can we have at some other detail on the page." class="resolved">0000108</a>&#101&<a href="/bugs/view.php?id=114" title="[closed] Make date format displayed configurable." class="resolved">0000114</a>&#116(1)><IMG SRC="X
TagsNo tags attached.

Relationships

related to 0021551 closedcommunity Manage Users pagination loses filter letter 

Activities

trichimtrich

trichimtrich

2017-07-27 16:19

reporter   ~0057342

There is an issue with markdown for above content in "Steps To Reproduce". I uploaded an image for bypass payload to trigger xss if user's disabled CSP



atrol

atrol

2017-07-27 17:13

developer   ~0057343

Introduced in 2.1.0 when fixing 0021551.

atrol

atrol

2017-07-27 17:14

developer   ~0057344

@trichimtrich thanks for creating this report.
Please set View Status to private when reporting security related issues.
http://www.mantisbt.org/wiki/doku.php/mantisbt:handling_security_problems

Can you confirm that changing the mentioned line to

<input type="hidden" name="filter" value="<?php echo string_attribute( $f_filter) ?>" />

fixes the issue?

atrol

atrol

2017-07-27 17:22

developer   ~0057345

Reminder sent to: dregad, vboctor

Should we target to 2.5.2 or 2.6.0?

trichimtrich

trichimtrich

2017-07-27 22:52

reporter   ~0057346

I can confirm the changing above fixes the issue.
And the bug also affects on 2.6.0, we should change the target to the latest version.

vboctor

vboctor

2017-07-28 01:41

manager   ~0057348

@atrol as a security fix, I would target for 2.5.2 and we will merge into 2.6.0 along with other 2.5.2 fixes.

atrol

atrol

2017-07-29 13:53

developer   ~0057358

And the bug also affects on 2.6.0, we should change the target to the latest version.

The bug has been introduced in 2.1.0 and all following versions are affected, that why I set field Product Version to 2.1.0
The plan is to fix it in 2.5.2 and 2.6.0.

I would target for 2.5.2

Created the version and set target version

dregad

dregad

2017-07-31 19:02

developer   ~0057364

I am requesting a CVE ID to be assigned for this issue.

@trichimtrich please let us know how you would like to be credited for the finding

trichimtrich

trichimtrich

2017-07-31 21:50

reporter   ~0057366

You can use the same twitter name here @trichimtrich.
Great works, thank you.

dregad

dregad

2017-08-01 05:57

developer   ~0057369

CVE-2017-12062 has been assigned [scr368900]

dregad

dregad

2017-08-04 19:18

developer   ~0057395

OSS security mailing list posting http://www.openwall.com/lists/oss-security/2017/08/01/1

Related Changesets

MantisBT: master-2.5 9b5b71da

2017-07-27 17:14:00

atrol


Committer: dregad Details Diff
Fix XSS in manage_user_page.php (CVE-2017-12062)

trichimtrich (https://twitter.com/trichimtrich) reported this
vulnerability, allowing an attacker to inject arbitrary code through a
crafted 'filter' form variable.

Prevent the attack by sanitizing the variable before output.

Fixes 0023166

Signed-off-by: Damien Regad <dregad@mantisbt.org>
mod - manage_user_page.php Diff File

Issue History

Date Modified Username Field Change
2017-07-27 16:14 trichimtrich New Issue
2017-07-27 16:17 atrol View Status public => private
2017-07-27 16:19 trichimtrich File Added: Screen Shot 2017-07-28 at 4.18.16 AM.png
2017-07-27 16:19 trichimtrich Note Added: 0057342
2017-07-27 16:30 atrol Relationship added related to 0021551
2017-07-27 17:13 atrol Product Version 2.5.1 => 2.1.0
2017-07-27 17:13 atrol Note Added: 0057343
2017-07-27 17:14 atrol Status new => feedback
2017-07-27 17:14 atrol Note Added: 0057344
2017-07-27 17:22 atrol Note Added: 0057345
2017-07-27 22:52 trichimtrich Note Added: 0057346
2017-07-27 22:52 trichimtrich Status feedback => new
2017-07-28 01:41 vboctor Note Added: 0057348
2017-07-29 13:53 atrol Note Added: 0057358
2017-07-29 13:53 atrol Status new => confirmed
2017-07-29 13:53 atrol Target Version => 2.5.2
2017-07-31 19:02 dregad Note Added: 0057364
2017-07-31 21:50 trichimtrich Note Added: 0057366
2017-08-01 05:57 dregad Summary XSS in manage_user_page.php => CVE-2017-12062: XSS in manage_user_page.php
2017-08-01 05:57 dregad Note Added: 0057369
2017-08-01 09:17 dregad Changeset attached => MantisBT master-2.5 9b5b71da
2017-08-01 09:17 atrol Assigned To => atrol
2017-08-01 09:17 atrol Status confirmed => resolved
2017-08-01 09:17 atrol Resolution open => fixed
2017-08-01 09:17 atrol Fixed in Version => 2.5.2
2017-08-01 09:23 dregad View Status private => public
2017-08-04 19:18 dregad Note Added: 0057395
2017-09-03 18:41 vboctor Status resolved => closed