View Issue Details

IDProjectCategoryView StatusLast Update
0015416mantisbtsecuritypublic2014-09-23 18:05
Reporterdregad Assigned Todregad  
Status closedResolutionfixed 
Product Version1.2.0rc1 
Target Version1.2.14Fixed in Version1.2.14 
Summary0015416: CVE-2013-1934: XSS issue in adm_config_report.php when displaying complex value

Lack of proper string escaping allows users (having admin access) to enter arbitrary javascript code and have it executed on the user's browser.

This vulnerability exists since 1.2.0rc1 (possibly before), but is mitigated by the fact that normally only administrators have access to this page, and so would hopefully know what they are doing when entering values in the system.

Steps To Reproduce
  • go to adm_config_report.php page
  • Add a 'complex' config option like this: <pre>
    array('test <script>alert ("XSS")</script>')
TagsNo tags attached.


related to 0015415 closeddregad CVE-2013-1932: XSS vulnerability on Configuration Report page 
related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 




2013-01-23 07:44

developer   ~0034877

master will be patched later when porting of manage-config branch is completed.



2013-04-05 17:56

reporter   ~0036072

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch



2013-04-09 09:19

developer   ~0036555

CVE assigned on 09-Apr-2013 [1]


Related Changesets

MantisBT: master-1.2.x 5858a659

2013-01-23 12:37:56


Details Diff
Fix 0015416: XSS issue in adm_config_report.php

If a 'complex' config option contains javascript code, it would be
executed when displaying the page.
Affected Issues
mod - adm_config_report.php Diff File

MantisBT: master 57f57409

2013-03-08 16:01:17


Details Diff
Make it possible to edit config options in adm_config_report.php

Use CONFIG_TYPE_xxx constants instead of magic strings to define the
type of config value to process.

Added code for FLOAT type which was previously handled through COMPLEX.

Improve handling of INT (and FLOAT) by calling constant_replace(),
allowing user to specify a defined constant instead of a numeric value.

The 'Username', 'Project Name' and 'Configuration Option' fields in the
'Set Configuration Option' form are preset to the corresponding value
from the filter or defaulting to ALL_USERS, ALL_PROJECTS and blank
respectively if the filter is not defined or set to '[any]'. This allows
easier definition of related config, e.g. for a given project or user.

Port of 1.2.x commits
- 8890b218892d56947e6ffe300d0186b1450d0481
- 8b426cfc6c6ea7149beeafb352fa390dbf8c4624
- 5858a659efe12743b4360da11e9320c7f6ac6e82

Fixes 0007586, 0015416
Affected Issues
0007586, 0015416
mod - adm_config_report.php Diff File
mod - adm_config_set.php Diff File
mod - core/constant_inc.php Diff File
mod - core/print_api.php Diff File