View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0015416 | mantisbt | security | public | 2013-01-23 07:29 | 2014-09-23 18:05 |
Reporter | dregad | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.0rc1 | ||||
Target Version | 1.2.14 | Fixed in Version | 1.2.14 | ||
Summary | 0015416: CVE-2013-1934: XSS issue in adm_config_report.php when displaying complex value | ||||
Description | Lack of proper string escaping allows users (having admin access) to enter arbitrary javascript code and have it executed on the user's browser. This vulnerability exists since 1.2.0rc1 (possibly before), but is mitigated by the fact that normally only administrators have access to this page, and so would hopefully know what they are doing when entering values in the system. | ||||
Steps To Reproduce |
| ||||
Tags | No tags attached. | ||||
master will be patched later when porting of manage-config branch is completed. |
|
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|
CVE assigned on 09-Apr-2013 [1] [1] http://article.gmane.org/gmane.comp.security.oss.general/9901 |
|
MantisBT: master-1.2.x 5858a659 2013-01-23 07:37 Details Diff |
Fix 0015416: XSS issue in adm_config_report.php If a 'complex' config option contains javascript code, it would be executed when displaying the page. |
Affected Issues 0015416 |
|
mod - adm_config_report.php | Diff File | ||
MantisBT: master 57f57409 2013-03-08 11:01 Details Diff |
Make it possible to edit config options in adm_config_report.php Use CONFIG_TYPE_xxx constants instead of magic strings to define the type of config value to process. Added code for FLOAT type which was previously handled through COMPLEX. Improve handling of INT (and FLOAT) by calling constant_replace(), allowing user to specify a defined constant instead of a numeric value. The 'Username', 'Project Name' and 'Configuration Option' fields in the 'Set Configuration Option' form are preset to the corresponding value from the filter or defaulting to ALL_USERS, ALL_PROJECTS and blank respectively if the filter is not defined or set to '[any]'. This allows easier definition of related config, e.g. for a given project or user. Port of 1.2.x commits - 8890b218892d56947e6ffe300d0186b1450d0481 - 8b426cfc6c6ea7149beeafb352fa390dbf8c4624 - 5858a659efe12743b4360da11e9320c7f6ac6e82 Fixes 0007586, 0015416 |
Affected Issues 0007586, 0015416 |
|
mod - adm_config_report.php | Diff File | ||
mod - adm_config_set.php | Diff File | ||
mod - core/constant_inc.php | Diff File | ||
mod - core/print_api.php | Diff File |