0015384: CVE-2013-1810 XSS vulnerability on summary page - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0015384	mantisbt	security	public	2013-01-18 15:24	2014-09-23 18:05

Reporter	atrol	Assigned To	dhx
Priority	urgent	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.2.12
Target Version	1.2.13	Fixed in Version	1.2.13

Summary	0015384: CVE-2013-1810 XSS vulnerability on summary page
Description	Script is executed when viewing summary page and having a category with scripting code This has been introduced by a commit to resolve 0014677 I will attach a patch. Please have a look at it and feel free to enhance and to commit it.
Steps To Reproduce	Create a category <script>alert ("XSS")</script> View "Summary" page
Tags	No tags attached.
Attached Files	fix15384.patch (1,858 bytes) From 353c8741a797f56f1ae7df078b1dd7ceac49713e Mon Sep 17 00:00:00 2001 From: Roland Becker <roland@atrol.de> Date: Fri, 18 Jan 2013 21:24:13 +0100 Subject: [PATCH] Fix #15384 XSS vulnerability on summary page --- core/summary_api.php \| 9 ++++++--- 1 files changed, 6 insertions(+), 3 deletions(-) diff --git a/core/summary_api.php b/core/summary_api.php index abdbbc4..638cabf 100644 --- a/core/summary_api.php +++ b/core/summary_api.php @@ -27,7 +27,10 @@ */ require_once( $g_absolute_path . 'config_filter_defaults_inc.php' ); -function summary_helper_print_row( $p_label, $p_open, $p_resolved, $p_closed, $p_total ) { +function summary_helper_print_row( $p_label, $p_open, $p_resolved, $p_closed, $p_total, $p_sanitize_label = true ) { + if ( $p_sanitize_label ) { + $p_label = string_display_line ( $p_label ); + } printf( '<tr %s>', helper_alternate_class() ); printf( '<td width="50%%">%s</td>', $p_label ); printf( '<td width="12%%" class="right">%s</td>', $p_open ); @@ -464,7 +467,7 @@ function summary_print_by_developer() { $t_bugs_total = $t_bug_link . '&' . FILTER_PROPERTY_HIDE_STATUS_ID . '=">' . $t_bugs_total . '</a>'; } - summary_helper_print_row( $t_user, $t_bugs_open, $t_bugs_resolved, $t_bugs_closed, $t_bugs_total ); + summary_helper_print_row( $t_user, $t_bugs_open, $t_bugs_resolved, $t_bugs_closed, $t_bugs_total, false ); $t_bugs_open = 0; $t_bugs_resolved = 0; @@ -501,7 +504,7 @@ function summary_print_by_developer() { $t_bugs_total = $t_bug_link . '&' . FILTER_PROPERTY_HIDE_STATUS_ID . '=">' . $t_bugs_total . '</a>'; } - summary_helper_print_row( $t_user, $t_bugs_open, $t_bugs_resolved, $t_bugs_closed, $t_bugs_total ); + summary_helper_print_row( $t_user, $t_bugs_open, $t_bugs_resolved, $t_bugs_closed, $t_bugs_total, false ); } } -- 1.7.7.1.msysgit.0 fix15384.patch (1,858 bytes)

atrol 2013-01-18 15:28 developer ~0034817	Reminder sent to: dhx, rombert Please have a look at the attached patch.

rombert 2013-01-18 15:38 reporter ~0034819	Confirmed, this is another XSS I introduced :\| Overall the fix looks good to me since usernames are not allowed to have special characters therefore there is no XSS risk in allowing special chars in there. Of course, being the guilty party I'll let others judge if this is enough/a proper fix.

atrol 2013-01-18 15:56 developer ~0034820	I see no problem, even if usernames do contain special chars function summary_helper_get_developer_label does the sanitizing job if summary_helper_print_row is called with $p_sanitize_label = false $t_user = string_display_line( user_get_name( $p_user_id ) ); I don't like my fix that much as this is not a good readable/maintainable code. At least it does the job to fix the XSS issue without loosing the new functionality that you introduced. I don't have enough time at the moment to provide a better patch with cleaner code. It's your decision to commit it as it is or to take some time for a small rewrite.

dhx 2013-01-18 18:05 reporter ~0034821	Thanks Roland. I've applied a patch that doesn't introduce any new parameters to the summary_helper_print_row function (it'd be messy to do so). master branch is unaffected by this issue as it already had correct escaping of all data being fed into the summary_helper_print_row function. Both branches should now be in line w.r.t. escaping input into summary_helper_print_row.

dhx 2013-03-03 00:41 reporter ~0035362	This was assigned the CVE identifier CVE-2013-1810 on the oss-security mailing list on March 3rd, 2013.

grangeway 2013-04-05 17:56 reporter ~0036085	Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

MantisBT: master-1.2.x 7df30a9e 2013-01-18 17:49 dhx Details Diff	Fix 0015384: summary.php XSS vulnerability in MantisBT 1.2.12 only Roland Becker (MantisBT Developer) discovered a XSS vulnerability introduced in MantisBT 1.2.12 with the display of category/project names on the summary.php page. A malicious MantisBT user holding privileged manager/administrator permissions could create a category or project name that contains JavaScript code. Any user visiting summary.php from that point on may then be exposed to having the malicious JavaScript execute within their browser environment. The severity of this issue is limited by the need to hold privileged manager/administrator permissions in order to modify category and project names. However -- there are many use cases where MantisBT installations can have hundreds of sub-projects, each managed by different people/parties that can not or should not be fully trusted. Refer to previous commits 3ca8a164 and 6ec3f693 to trace back the origin of this vulnerability.		Affected Issues 0015384
	mod - core/summary_api.php		Diff File