0024731: CVE-2018-16514: Reflected XSS in view_filters_page.php via core/filter_form_api.php - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0024731	mantisbt	security	public	2018-09-03 15:25	2018-09-25 04:19

Reporter	geeknik	Assigned To	dregad
Priority	high	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Target Version	2.17.1	Fixed in Version	2.17.1

Summary	0024731: CVE-2018-16514: Reflected XSS in view_filters_page.php via core/filter_form_api.php
Description	On sites that do not have CORS security headers or poorly-configured CORS headers (or for users of Internet Explorer 10, 11 and maybe Edge?), there exists a reflected XSS flaw in view_filters_page.php, which I believe is enabled by bad code in core/filter_form_api.php starting at Line 0002779: https://github.com/mantisbt/mantisbt/blob/006cd0cd90c37097e1a065fd3e59ce2534490834/core/filter_form_api.php#L2779 On sites that do have properly configured CORS headers (and browsers that care about CORS headers), this will show up in the Firefox web console: Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src”). Source: onmouseover attribute on A element. Even still, the code is still reflected back across the TD cells despite the browser refusing to execute it: <tr><td class="small-caption category "><a href="/bugs/view_filters_page.php/"onmouseover='prompt(1)'bad="?for_screen=1&static=1&view_type=simple" id="reporter_id_filter" class="dynamic-filter-expander">Reporter</a>
Steps To Reproduce	https://mantisbt.org/bugs/view_filters_page.php/"onmouseover%3d'prompt(1)'bad%3d"
Additional Information	I've attached a screenshot showing the flaw being reproduced on this very site with IE 11.0.9600.19100.
Tags	No tags attached.
Attached Files

geeknik 2018-09-03 15:26 reporter ~0060596	Screenshot. Screenshot_2018-09-03_13-51-43.png (139,214 bytes) Screenshot_2018-09-03_13-51-43.png (139,214 bytes)

dregad 2018-09-04 04:36 developer ~0060597	Thanks for the detailed bug report. We will look into it. Did you request a CVE for this ? If not, should we take care of it ? How would you like to be credited for the finding ?

dregad 2018-09-04 11:10 developer ~0060598	This is very similar to 0024580 - the attack vector is slightly different (onmouseover)

dregad 2018-09-04 11:27 developer ~0060599	I can reproduce the problem. It is indeed the same root cause as 0024580, i.e. use of `$_SERVER['PHP_SELF']` to specify the fallback page. Unfortunately the earlier fix (calling string_sanitize_url) did not fully address the vulnerability. It's worth mentioning that the same vulnerability also is also present in manage_filter_edit_page.php : http://path.to/mantisbt/manage_filter_edit_page.php/%22onmouseover%3d'alert("XSS")'bad%3d%22?filter_id=7621 I think we just need to get rid of using PHP_SELF.

dregad 2018-09-05 06:22 developer ~0060602	CVE Request 563901 sent to MITRE

dregad 2018-09-05 08:12 developer ~0060603	Proposed fix, please review 0001-Use-SCRIPT_NAME-instead-of-PHP_SELF.patch (1,104 bytes) From 66091a42626631a3063774eb0fb8a4218ab22fd4 Mon Sep 17 00:00:00 2001 From: Damien Regad <dregad@mantisbt.org> Date: Wed, 5 Sep 2018 01:39:06 +0200 Subject: [PATCH] Use SCRIPT_NAME instead of PHP_SELF Fix XSS in view_filters_page.php and manage_filter_edit_page.php Fixes #24731 --- core/filter_form_api.php \| 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/core/filter_form_api.php b/core/filter_form_api.php index 05d5c39e1..7b38752fd 100644 --- a/core/filter_form_api.php +++ b/core/filter_form_api.php @@ -2393,10 +2393,9 @@ function filter_form_draw_inputs( $p_filter, $p_for_screen = true, $p_static = f } if( null === $p_static_fallback_page ) { - $p_static_fallback_page = $_SERVER['PHP_SELF']; - $p_static_fallback_page = string_sanitize_url( $_SERVER['PHP_SELF'] ); + $p_static_fallback_page = $_SERVER['SCRIPT_NAME']; } - $t_filters_url = $p_static_fallback_page; + $t_filters_url = helper_mantis_url( $p_static_fallback_page ); $t_get_params = $_GET; $t_get_params['for_screen'] = $p_for_screen; $t_get_params['static'] = ON; -- 2.16.1.windows.1 0001-Use-SCRIPT_NAME-instead-of-PHP_SELF.patch (1,104 bytes)

atrol 2018-09-05 09:26 developer ~0060604	Did a few tests. Fix looks good, also concerning 0024580:0060220

geeknik 2018-09-05 10:06 reporter ~0060605	dregad, can you credit Brian Carpenter - Geeknik Labs? Thank you.

dregad 2018-09-05 10:48 developer ~0060606	CVE-2018-16514 assigned