View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017583 | mantisbt | security | public | 2014-08-11 21:13 | 2014-12-05 18:33 |
Reporter | muts | Assigned To | dregad | ||
Priority | normal | Severity | major | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.17 | ||||
Target Version | 1.2.18 | Fixed in Version | 1.2.18 | ||
Summary | 0017583: CVE-2014-9270: Stored XSS in Mantis | ||||
Description | Hi Guys, I had a Mantis vulnerability reported to us via our bug bounty program. A video pertaining the vulnerability can be seen here: https://www.youtube.com/watch?v=_f7LGJ70KWA&feature=youtu.be | ||||
Tags | No tags attached. | ||||
Attached Files | projax_api.php (3,321 bytes)
<?php # MantisBT - a php based bugtracking system # MantisBT is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 2 of the License, or # (at your option) any later version. # # MantisBT is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with MantisBT. If not, see <http://www.gnu.org/licenses/>. /** * @package CoreAPI * @subpackage ProjaxAPI * @copyright Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org * @copyright Copyright (C) 2002 - 2014 MantisBT Team - mantisbt-dev@lists.sourceforge.net * @link http://www.mantisbt.org */ /** * requires projax.php */ require_once( 'projax' . DIRECTORY_SEPARATOR . 'projax.php' ); # enables the projax library for this page. $g_enable_projax = true; $g_projax = new Projax(); # Outputs an auto-complete field to the HTML form. The supported attribute keys in the attributes array are: # class, size, maxlength, value, and tabindex. function projax_autocomplete( $p_entrypoint, $p_field_name, $p_attributes_array = null ) { global $g_projax; static $s_projax_style_done = false; if ( ON == config_get( 'use_javascript' ) ) { echo $g_projax->text_field_with_auto_complete( $p_field_name, $p_attributes_array, $s_projax_style_done ? array( 'url' => 'xmlhttprequest.php?entrypoint=' . $p_entrypoint, 'skip_style' => '1' ) : array( 'url' => 'xmlhttprequest.php?entrypoint=' . $p_entrypoint ) ); $s_projax_style_done = true; } else { $t_tabindex = isset( $p_attributes_array['tabindex'] ) ? ( ' tabindex="' . $p_attributes_array['tabindex'] . '"' ) : ''; $t_maxlength = isset( $p_attributes_array['maxlength'] ) ?( ' maxlength="' . $p_attributes_array['maxlength'] . '"' ) : ''; echo '<input id="'.$p_field_name.'" name="'.$p_field_name.'"'. $t_tabindex . $t_maxlength . ' size="'.(isset($p_attributes_array['size'])?$p_attributes_array['size']:30).'" type="text" value="'.(isset($p_attributes_array['value'])?$p_attributes_array['value']:'').'" '.(isset($p_attributes_array['class'])?'class = "'.$p_attributes_array['class'].'" ':'').'/>'; } } # Filters the provided array of strings and only returns the ones that start with $p_prefix. # The comparison is not case sensitive. # Returns the array of the filtered strings, or an empty array. If the input array has non-unique # entries, then the output one may contain duplicates. function projax_array_filter_by_prefix( $p_array, $p_prefix ) { $t_matches = array(); foreach( $p_array as $t_entry ) { if( utf8_strtolower( utf8_substr( $t_entry, 0, utf8_strlen( $p_prefix ) ) ) == utf8_strtolower( $p_prefix ) ) { $t_matches[] = $t_entry; } } return $t_matches; } # Serializes the provided array of strings into the format expected by the auto-complete library. function projax_array_serialize_for_autocomplete( $p_array ) { $t_matches = '<ul>'; foreach( $p_array as $t_entry ) { $t_matches .= "<li>" . string_attribute( $t_entry ) . "</li>"; } $t_matches .= '</ul>'; return $t_matches; } | ||||
I have no time at the moment to have a deeper look at it. Are you sure you are running 1.2.17? |
|
master seems to escape it fine, and from what I can tell, same code is in 1.2.17: <option value="">(select)</option><option value="2">"><img src=x onerror=prompt(1);> "><img src=x onerror=prompt(1);> "><img src=x one</option><option value="1">moo moo moo</option> </select> |
|
and pasting & q u o t obviously becomes " so that was a waste of time :) |
|
Yes, i am running 1.2.17 for sure. |
|
was just chatting to muts on irc This is a 1.2.x bug only, which was 'fixed' in master I believe when we replaced projax with the following commit: https://github.com/mantisbt/mantisbt/commit/b77ea9cd2333f1549eea03f020da574747a2a855 |
|
The fix for this for 1.2 may be in projax_api.php (https://github.com/mantisbt/mantisbt/blob/master-1.2.x/core/projax_api.php) to take the line 73 which reads: $t_matches .= " and add a string_attribute or similar around $t_entry |
|
Attached projax_api.php with proposed change. Works fine at first sight. |
|
Closed by mistake |
|
CVE request sent http://thread.gmane.org/gmane.comp.security.oss.general/14956 |
|
MantisBT: master-1.2.x 0bff06ec 2014-10-30 14:04 Paul Richards Committer: dregad Details Diff |
Fix 0017583: XSS in projax_api.php Offensive Security reported this issue via their bug bounty program [1]. The Projax library does not properly escape html strings. An attacker could take advantage of this to perform an XSS attack using the profile/Platform field. [1] http://www.offensive-security.com/bug-bounty-program/ Signed-off-by: Damien Regad <dregad@mantisbt.org> |
Affected Issues 0017583 |
|
mod - core/projax_api.php | Diff File |