View Issue Details

IDProjectCategoryView StatusLast Update
0015416mantisbtsecuritypublic2014-09-23 18:05
Reporterdregad Assigned Todregad  
Status closedResolutionfixed 
Product Version1.2.0rc1 
Target Version1.2.14Fixed in Version1.2.14 
Summary0015416: CVE-2013-1934: XSS issue in adm_config_report.php when displaying complex value

Lack of proper string escaping allows users (having admin access) to enter arbitrary javascript code and have it executed on the user's browser.

This vulnerability exists since 1.2.0rc1 (possibly before), but is mitigated by the fact that normally only administrators have access to this page, and so would hopefully know what they are doing when entering values in the system.

Steps To Reproduce
  • go to adm_config_report.php page
  • Add a 'complex' config option like this: <pre>
    array('test <script>alert ("XSS")</script>')
TagsNo tags attached.


related to 0015415 closeddregad CVE-2013-1932: XSS vulnerability on Configuration Report page 
related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 




2013-01-23 07:44

developer   ~0034877

master will be patched later when porting of manage-config branch is completed.



2013-04-05 17:56

reporter   ~0036072

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch



2013-04-09 09:19

developer   ~0036555

CVE assigned on 09-Apr-2013 [1]


Related Changesets

MantisBT: master-1.2.x 5858a659

2013-01-23 12:37:56


Details Diff
Fix 0015416: XSS issue in adm_config_report.php

If a 'complex' config option contains javascript code, it would be
executed when displaying the page.
Affected Issues
mod - adm_config_report.php Diff File

MantisBT: master 57f57409

2013-03-08 16:01:17


Details Diff
Make it possible to edit config options in adm_config_report.php

Use CONFIG_TYPE_xxx constants instead of magic strings to define the
type of config value to process.

Added code for FLOAT type which was previously handled through COMPLEX.

Improve handling of INT (and FLOAT) by calling constant_replace(),
allowing user to specify a defined constant instead of a numeric value.

The 'Username', 'Project Name' and 'Configuration Option' fields in the
'Set Configuration Option' form are preset to the corresponding value
from the filter or defaulting to ALL_USERS, ALL_PROJECTS and blank
respectively if the filter is not defined or set to '[any]'. This allows
easier definition of related config, e.g. for a given project or user.

Port of 1.2.x commits
- 8890b218892d56947e6ffe300d0186b1450d0481
- 8b426cfc6c6ea7149beeafb352fa390dbf8c4624
- 5858a659efe12743b4360da11e9320c7f6ac6e82

Fixes 0007586, 0015416
Affected Issues
0007586, 0015416
mod - adm_config_report.php Diff File
mod - adm_config_set.php Diff File
mod - core/constant_inc.php Diff File
mod - core/print_api.php Diff File

Issue History

Date Modified Username Field Change
2013-01-23 07:29 dregad New Issue
2013-01-23 07:29 dregad Status new => assigned
2013-01-23 07:29 dregad Assigned To => dregad
2013-01-23 07:29 dregad Relationship added related to 0015415
2013-01-23 07:30 dregad View Status public => private
2013-01-23 07:40 dregad Description Updated View Revisions
2013-01-23 07:41 dregad Changeset attached => MantisBT master-1.2.x 5858a659
2013-01-23 07:41 dregad Status assigned => resolved
2013-01-23 07:41 dregad Resolution open => fixed
2013-01-23 07:41 dregad Fixed in Version => 1.2.14
2013-01-23 07:44 dregad Note Added: 0034877
2013-01-23 07:44 dregad View Status private => public
2013-01-29 09:25 dregad Status resolved => closed
2013-03-08 11:05 dregad Changeset attached => MantisBT master 57f57409
2013-03-13 06:17 jayavel Issue cloned: 0015622
2013-04-05 17:56 grangeway Status closed => acknowledged
2013-04-05 17:56 grangeway Note Added: 0036072
2013-04-05 19:47 grangeway Relationship added related to 0015721
2013-04-06 03:38 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2013-04-09 09:19 dregad Note Added: 0036555
2013-04-09 09:19 dregad Summary XSS issue in adm_config_report.php when displaying complex value => CVE-2013-1934: XSS issue in adm_config_report.php when displaying complex value
2014-02-07 03:57 dregad Relationship added related to 0013298
2014-02-07 03:59 dregad Relationship deleted related to 0013298
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check