MantisBT: master-1.2.x 317f3db3

Author Committer Branch Timestamp Parent
dhx dhx master-1.2.x 2011-08-18 03:43 master-1.2.x 9869270e
Affected Issues  0013245: Cross site scripting and remote SQL injection vulnerabilities
Changeset

Fix 0013245: XSS issues with search.php parameters

Net.Edit0r (Net.Edit0r@Att.net) from BlACK Hat Group
[http://black-hg.org] posted a vulnerability report for an XSS issue in
search.php for MantisBT 1.2.6.

The full report is available at
http://packetstormsecurity.org/files/104149

filter_api.php is the culprit for this vulnerability as it passes user
supplied search parameters back into output without first escaping the
values.

It should be noted that numerous other XSS vulnerabilities (all related)
have been fixed with this patch. In other words, it is not just the
project_id parameter to search.php that was affected - it was numerous
other parameters/fields as well.

The second SQL injection vulnerability identified by Net.Edit0r is
invalid because the only time we ever make reference to "mbadmin" in the
source code is:

core.php:
if ( file_exists( 'mantis_offline.php' ) && !isset( $_GET['mbadmin'] ) )

This usage is safe because nothing is ever done with $_GET['mbadmin'].
It may be the case that the user's customised version of
mantis_offline.php was incorrectly dumping the value of $_GET['mbadmin']
to the screen. The default/sample mantis_offline.php has been checked
and does not print any dynamically created strings/user supplied values.

mod - core/filter_api.php Diff File