View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0011206mantisbtsecuritypublic2009-11-21 12:392018-09-04 02:52
Reportermarboi Assigned Todhx  
PriorityurgentSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.1.8 
Target Version1.1.9Fixed in Version1.1.9 
Summary0011206: XSS on view_filters_page.php?target_field=...
Description

There is a cross site scripting on the target_field argument of view_filters_page.php

It seems that this was an old bug that was /supposed/ to be fixed in 1.0.0rc4

This was found by a generic web app test from Nessus.
http://www.nessus.org/plugins/index.php?view=single&id=39466

Steps To Reproduce

Something like
http://HOST/mantis/view_filters_page.php?target_field=%22%3C/script%3E%3Cscript%3Ealert%2842%29;%3C/script%3E
may produce it. You will have an alert with Firefox, not with Safari, as the syntax is invalid; if you inspect the HTML source, you'll see that the script is not filtered out.

TagsNo tags attached.

Activities

giallu

giallu

2009-11-21 17:54

reporter   ~0023783

Confirmed, the offending HTML produced is:

    <script type="text/javascript" language="JavaScript">
    <!--
    function SetInitialFocus() {
        field_to_focus = ""</script><script>alert(42);</script> [^]";           if ( field_to_focus ) {
            eval( "document.filters['" + field_to_focus + "'].focus()" );
        }

        SwitchDateFields();
    }
dhx

dhx

2009-11-22 07:49

reporter   ~0023784

Paul committed http://git.mantisbt.org/?p=mantisbt.git;a=commit;h=b71d129466dc38ad6a9154ab1aff13f30034a601 in mid 2008 that "fixed" this problem for 1.2.x. However I found a bug in that check whereby:

view_filters_page.php?target_field=status[]<script>...</script>

Would make this XSS bug work on all current versions of Mantis (1.1.x, 1.2.x and 1.3.x). I've fixed this in all branches.

Thanks for reporting this security issue and apologies for the delayed response. I've been away/busy for the past few days so I haven't had time to look at it until now.

Related Changesets

MantisBT: master-1.1.x 231e580e

2008-07-09 15:12

Paul Richards

Committer: dhx


Details Diff		 Target field should be included in definition of filter_get_default

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@5400 f5dc347c-c33d-0410-90a0-b07cc1902cb9

White space		 Affected Issues
0011206
mod - view_filters_page.php Diff File

MantisBT: master-1.1.x 8ecb5fa4

2009-11-22 07:37

dhx


Details Diff		 Fix 0011026: Fix XSS bug in view_filters_page.php

Fix a parsing/validation error whereby a target_field input of the form
"status[]<script>bad_code();</script>" would be printed directly to
HTML, thus leading to a XSS vulnerability.		 Affected Issues
0011206
mod - view_filters_page.php Diff File

MantisBT: master-1.2.x 2730f010

2009-11-22 07:37

dhx


Details Diff		 Fix 0011026: Fix XSS bug in view_filters_page.php

Fix a parsing/validation error whereby a target_field input of the form
"status[]<script>bad_code();</script>" would be printed directly to
HTML, thus leading to a XSS vulnerability.		 Affected Issues
0011206
mod - view_filters_page.php Diff File

MantisBT: master c154fafc

2009-11-22 07:37

dhx


Details Diff		 Fix 0011026: Fix XSS bug in view_filters_page.php

Fix a parsing/validation error whereby a target_field input of the form
"status[]<script>bad_code();</script>" would be printed directly to
HTML, thus leading to a XSS vulnerability.		 Affected Issues
0011206
mod - view_filters_page.php Diff File