From 5068df2dcf79c34741c746c9b27e0083f2a374da Mon Sep 17 00:00:00 2001 From: Damien Regad Date: Tue, 7 Jun 2016 00:25:37 +0200 Subject: [PATCH] Fix XSS in custom fields management Kacper Szurek (http://security.szurek.pl/) discovered an XSS vulnerability in Custom fields management pages, caused by unescaped output of 'return URL' GPC parameter. His report describes two ways to exploit this issue: 1. using 'accesskey' inside hidden input field (see [1]) reflects XSS to the administrator in manage_custom_field_edit_page.php when the keyboard shortcut is actioned 2. using 'javascript:' URI scheme executes the code when the user clicks the [Proceed] link on manage_custom_field_update.php after updating a custom field This commit fixes both attack vectors: - properly escape the return URL prior to printing it on the hidden form field - let html_operation_successful() sanitize the URL before displaying it, just like html_meta_redirect() does. In this case, if the string contains an URI scheme, it will be replaced by 'index.php' [1] http://blog.portswigger.net/2015/11/xss-in-hidden-input-fields.html Fixes #20956 This is a backport from master 3f2779b4c6dc8d465fb73c08cfa1d806184d2e79. --- account_prefs_update.php | 2 +- manage_config_revert.php | 2 +- manage_custom_field_delete.php | 2 +- manage_custom_field_update.php | 2 +- print_all_bug_options_update.php | 2 +- set_project.php | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/account_prefs_update.php b/account_prefs_update.php index 672c65b..74e5665 100644 --- a/account_prefs_update.php +++ b/account_prefs_update.php @@ -115,6 +115,6 @@ echo lang_get( 'operation_successful' ); echo '
'; - print_bracket_link( $f_redirect_url, lang_get( 'proceed' ) ); + print_bracket_link( string_sanitize_url( $f_redirect_url ), lang_get( 'proceed' ) ); echo '
'; html_page_bottom(); diff --git a/manage_config_revert.php b/manage_config_revert.php index 8c2d029..69bc0bd 100644 --- a/manage_config_revert.php +++ b/manage_config_revert.php @@ -65,7 +65,7 @@
'; - print_bracket_link( $t_redirect_url, lang_get( 'proceed' ) ); + print_bracket_link( string_sanitize_url( $t_redirect_url ), lang_get( 'proceed' ) ); ?>
diff --git a/manage_custom_field_delete.php b/manage_custom_field_delete.php index 62c56fb..75325e1 100644 --- a/manage_custom_field_delete.php +++ b/manage_custom_field_delete.php @@ -58,7 +58,7 @@
'; - print_bracket_link( $f_return, lang_get( 'proceed' ) ); + print_bracket_link( string_sanitize_url( $f_return ), lang_get( 'proceed' ) ); ?>
diff --git a/manage_custom_field_update.php b/manage_custom_field_update.php index d56dbfb..befbc06 100644 --- a/manage_custom_field_update.php +++ b/manage_custom_field_update.php @@ -64,7 +64,7 @@ echo lang_get( 'operation_successful' ) . '
'; - print_bracket_link( $f_return, lang_get( 'proceed' ) ); + print_bracket_link( string_sanitize_url( $f_return ), lang_get( 'proceed' ) ); echo ''; diff --git a/print_all_bug_options_update.php b/print_all_bug_options_update.php index ab1a1d4..bec71e0 100644 --- a/print_all_bug_options_update.php +++ b/print_all_bug_options_update.php @@ -79,6 +79,6 @@ } echo '
'; - print_bracket_link( $f_redirect_url, lang_get( 'proceed' ) ); + print_bracket_link( string_sanitize_url( $f_redirect_url ), lang_get( 'proceed' ) ); echo '
'; html_page_bottom(); diff --git a/set_project.php b/set_project.php index e09155d..aeed92b 100644 --- a/set_project.php +++ b/set_project.php @@ -109,7 +109,7 @@ '; - print_bracket_link( $t_redirect_url, lang_get( 'proceed' ) ); + print_bracket_link( string_sanitize_url( $t_redirect_url ), lang_get( 'proceed' ) ); ?> -- 2.7.4