MantisBT: master-1.2.x e679a1c0

Diff Back to Repository
Author Committer Branch Timestamp Parent
dhx dhx master-1.2.x 2011-09-05 02:36 master-1.2.x cb74408f
Affected Issues  0013191: XSS vulnerability dues to usage of PHP_SELF
Changeset

Fix 0013191: Prevent further XSS issues relating to PHP_SELF

Silvia Alvarez (Debian package manager for MantisBT) has performed
additional testing of patch d00745f5e267eba4ca34286d125de685bc3a8034
and discovered that the XSS problems surrounding the use of
$_SERVER['PHP_SELF'] have not been fully fixed.

The form_action_self() function also used $_SERVER['PHP_SELF']
(retrieving the basename() component of the file name). Callees of this
function did not escape this file name prior to printing it in the
'action' attribute of <form> elements.

This patch swaps out PHP_SELF for SCRIPT_NAME (much safer as end users
have no control over the value) and also applies escaping to the
'action' attribute of relevant <form> elements.

Refer to Debian bug report #640297 [1] and dicussion on the mantisbt-dev
mailing list for further details.

Thank you Sils for the detailed analysis of the problem, detailed
report, proposed solutions and extensive testing of patches for the
latest round of vulnerabilities discovered.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640297
mod - billing_inc.php Diff File
mod - bugnote_stats_inc.php Diff File
mod - core/authentication_api.php Diff File
mod - core/form_api.php Diff File
mod - core/helper_api.php Diff File
mod - manage_config_email_page.php Diff File
mod - manage_config_work_threshold_page.php Diff File
mod - manage_config_workflow_page.php Diff File