View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0013191 | mantisbt | security | public | 2011-07-31 03:25 | 2014-09-23 18:05 |
Reporter | rombert | Assigned To | grangeway | ||
Priority | urgent | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.6 | ||||
Target Version | 1.2.8 | Fixed in Version | 1.2.8 | ||
Summary | 0013191: XSS vulnerability dues to usage of PHP_SELF | ||||
Description | I received the following email from Paulino Calderon calderon@websec.mx Hi, It seems your not sanitazing PHP's PHPSELF variable making all your pages vulnerable to cross site scripting attacks. | ||||
Tags | No tags attached. | ||||
Reminder sent to: daryn, dhx, giallu, grangeway, jreese, vboctor Not sure if you can see private issues, so adding as monitors. |
|
nginx not affected. This issue only impacts MantisBT operating on web servers which take the request: Look to see if the following file or directory exists: When it doesn't, it strips the URL down to: Which exists, and therefore plugin.php is executed. |
|
We need to get rid of instances of PHP_SELF and force administrators to set the path themselves. I don't see any other way to do this safely, while taking into account the possibility for a HttpRewrite module within a web server translating paths outside of MantisBT's control. I believe the issue is inside config_defaults_inc.php where we set path variables automatically based on PHP_SELF. |
|
Couldn't we simply 'unescape' PH_SELF when setting the path? I'm not familiar with the matter but requiring administrators to manually set this configuration path would be a step backwards in usability. |
|
cldrn is Paul Calderon, the original reporter of the bug. |
|
I'm a bit surprised we released 1.2.7 without this security fix, which is real and exploitable on MantisBT.org. I've taken a closer look at the code in config_defaults_inc.php . The usage of $_SERVER['PHP_SELF'] is limited to the calculation of $g_short_path. I would suggest that we escape $_SERVER['PHP_SELF'], and add an upgrade / installation note regarding it. Administrators with special needs can simply set $g_short_path manually in config_inc.php. How does that sound? |
|
Paul has fixed this in the master branch. I have backported the fix to the 1.2.x branch ready for a 1.2.8 release. High-Tech Bridge Security Research Lab has also discovered and reported this issue in 0013281. Thanks Paulino for reporting this issue - and apologies for the delay in resolving the matter. |
|
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|
MantisBT: master 57c94485 2011-08-29 06:55 Paul Richards Details Diff |
Fix issue introduced previously whereby php_Self is now used unchecked. introduced previously by john attempting to fix symlinks. Since we now use php 5.2, we can make use of filter_var. This is a simpler version of what we were trying to do previously aka http://git.mantisforge.org/w/mantisbt.git?a=commitdiff;h=5ac1fdf32717d0c82cca7e7660dd4fd316a6a1b8 Depending on server/mantis config this can lead to XSS issues |
Affected Issues 0013191, 0013281 |
|
mod - config_defaults_inc.php | Diff File | ||
MantisBT: master-1.2.x d00745f5 2011-08-29 06:55 Paul Richards Committer: dhx Details Diff |
Fix issue introduced previously whereby php_Self is now used unchecked. introduced previously by john attempting to fix symlinks. Since we now use php 5.2, we can make use of filter_var. This is a simpler version of what we were trying to do previously aka http://git.mantisforge.org/w/mantisbt.git?a=commitdiff;h=5ac1fdf32717d0c82cca7e7660dd4fd316a6a1b8 Depending on server/mantis config this can lead to XSS issues David: Backported from master branch and removed unreachable code branch. Signed-off-by: David Hicks <d@hx.id.au> |
Affected Issues 0013191, 0013281 |
|
mod - config_defaults_inc.php | Diff File | ||
MantisBT: master-1.2.x e679a1c0 2011-09-05 02:36 Details Diff |
Fix 0013191: Prevent further XSS issues relating to PHP_SELF Silvia Alvarez (Debian package manager for MantisBT) has performed additional testing of patch d00745f5e267eba4ca34286d125de685bc3a8034 and discovered that the XSS problems surrounding the use of $_SERVER['PHP_SELF'] have not been fully fixed. The form_action_self() function also used $_SERVER['PHP_SELF'] (retrieving the basename() component of the file name). Callees of this function did not escape this file name prior to printing it in the 'action' attribute of <form> elements. This patch swaps out PHP_SELF for SCRIPT_NAME (much safer as end users have no control over the value) and also applies escaping to the 'action' attribute of relevant <form> elements. Refer to Debian bug report #640297 [1] and dicussion on the mantisbt-dev mailing list for further details. Thank you Sils for the detailed analysis of the problem, detailed report, proposed solutions and extensive testing of patches for the latest round of vulnerabilities discovered. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640297 |
Affected Issues 0013191 |
|
mod - billing_inc.php | Diff File | ||
mod - bugnote_stats_inc.php | Diff File | ||
mod - core/authentication_api.php | Diff File | ||
mod - core/form_api.php | Diff File | ||
mod - core/helper_api.php | Diff File | ||
mod - manage_config_email_page.php | Diff File | ||
mod - manage_config_work_threshold_page.php | Diff File | ||
mod - manage_config_workflow_page.php | Diff File | ||
MantisBT: master 033a5045 2013-09-25 23:57 Details Diff |
Prevent XSS issues relating to PHP_SELF Selectively porting the security fixes for issue 0013191 from dhx's original commit e679a1c02978ba1b811959dedc358598fc595458, following the reintroduction of the form_action_self() function in master branch to fix issue 0016410. |
Affected Issues 0013191, 0016410 |
|
mod - core/form_api.php | Diff File | ||
mod - manage_config_email_page.php | Diff File | ||
mod - manage_config_work_threshold_page.php | Diff File | ||
mod - manage_config_workflow_page.php | Diff File |