0017583: CVE-2014-9270: Stored XSS in Mantis - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0017583	mantisbt	security	public	2014-08-11 21:13	2014-12-05 18:33

Reporter	muts	Assigned To	dregad
Priority	normal	Severity	major	Reproducibility	have not tried
Status	closed	Resolution	fixed
Product Version	1.2.17
Target Version	1.2.18	Fixed in Version	1.2.18

Summary	0017583: CVE-2014-9270: Stored XSS in Mantis
Description	Hi Guys, I had a Mantis vulnerability reported to us via our bug bounty program. A video pertaining the vulnerability can be seen here: https://www.youtube.com/watch?v=_f7LGJ70KWA&feature=youtu.be
Tags	No tags attached.
Attached Files	projax_api.php (3,321 bytes) <?php # MantisBT - a php based bugtracking system # MantisBT is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 2 of the License, or # (at your option) any later version. # # MantisBT is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with MantisBT. If not, see <http://www.gnu.org/licenses/>. /** * @package CoreAPI * @subpackage ProjaxAPI * @copyright Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org * @copyright Copyright (C) 2002 - 2014 MantisBT Team - mantisbt-dev@lists.sourceforge.net * @link http://www.mantisbt.org / /* * requires projax.php */ require_once( 'projax' . DIRECTORY_SEPARATOR . 'projax.php' ); # enables the projax library for this page. $g_enable_projax = true; $g_projax = new Projax(); # Outputs an auto-complete field to the HTML form. The supported attribute keys in the attributes array are: # class, size, maxlength, value, and tabindex. function projax_autocomplete( $p_entrypoint, $p_field_name, $p_attributes_array = null ) { global $g_projax; static $s_projax_style_done = false; if ( ON == config_get( 'use_javascript' ) ) { echo $g_projax->text_field_with_auto_complete( $p_field_name, $p_attributes_array, $s_projax_style_done ? array( 'url' => 'xmlhttprequest.php?entrypoint=' . $p_entrypoint, 'skip_style' => '1' ) : array( 'url' => 'xmlhttprequest.php?entrypoint=' . $p_entrypoint ) ); $s_projax_style_done = true; } else { $t_tabindex = isset( $p_attributes_array['tabindex'] ) ? ( ' tabindex="' . $p_attributes_array['tabindex'] . '"' ) : ''; $t_maxlength = isset( $p_attributes_array['maxlength'] ) ?( ' maxlength="' . $p_attributes_array['maxlength'] . '"' ) : ''; echo '<input id="'.$p_field_name.'" name="'.$p_field_name.'"'. $t_tabindex . $t_maxlength . ' size="'.(isset($p_attributes_array['size'])?$p_attributes_array['size']:30).'" type="text" value="'.(isset($p_attributes_array['value'])?$p_attributes_array['value']:'').'" '.(isset($p_attributes_array['class'])?'class = "'.$p_attributes_array['class'].'" ':'').'/>'; } } # Filters the provided array of strings and only returns the ones that start with $p_prefix. # The comparison is not case sensitive. # Returns the array of the filtered strings, or an empty array. If the input array has non-unique # entries, then the output one may contain duplicates. function projax_array_filter_by_prefix( $p_array, $p_prefix ) { $t_matches = array(); foreach( $p_array as $t_entry ) { if( utf8_strtolower( utf8_substr( $t_entry, 0, utf8_strlen( $p_prefix ) ) ) == utf8_strtolower( $p_prefix ) ) { $t_matches[] = $t_entry; } } return $t_matches; } # Serializes the provided array of strings into the format expected by the auto-complete library. function projax_array_serialize_for_autocomplete( $p_array ) { $t_matches = '<ul>'; foreach( $p_array as $t_entry ) { $t_matches .= "<li>" . string_attribute( $t_entry ) . "</li>"; } $t_matches .= '</ul>'; return $t_matches; } projax_api.php (3,321 bytes)

atrol 2014-08-12 02:09 developer ~0041047	I have no time at the moment to have a deeper look at it. Are you sure you are running 1.2.17? This should be fixed since years. https://github.com/mantisbt/mantisbt/commit/0a636b37d3425aea7b781e7f25eaeb164ac54a3d

grangeway 2014-08-12 04:53 reporter ~0041051	master seems to escape it fine, and from what I can tell, same code is in 1.2.17: <option value="">(select)</option><option value="2">"><img src=x onerror=prompt(1);> "><img src=x onerror=prompt(1);> "><img src=x one</option><option value="1">moo moo moo</option> </select>

grangeway 2014-08-12 04:54 reporter ~0041052	and pasting & q u o t obviously becomes " so that was a waste of time :)

muts 2014-08-12 10:39 reporter ~0041054	Yes, i am running 1.2.17 for sure.

grangeway 2014-08-12 11:07 reporter ~0041056	was just chatting to muts on irc This is a 1.2.x bug only, which was 'fixed' in master I believe when we replaced projax with the following commit: https://github.com/mantisbt/mantisbt/commit/b77ea9cd2333f1549eea03f020da574747a2a855

grangeway 2014-08-12 11:09 reporter ~0041057	The fix for this for 1.2 may be in projax_api.php (https://github.com/mantisbt/mantisbt/blob/master-1.2.x/core/projax_api.php) to take the line 73 which reads: $t_matches .= " $t_entry "; and add a string_attribute or similar around $t_entry

atrol 2014-08-12 16:30 developer ~0041062	Attached projax_api.php with proposed change. Works fine at first sight. muts, please check if replacing projax_api.php with the attached version fixes the issue.

dregad 2014-11-17 02:45 developer ~0041862	Closed by mistake

dregad 2014-12-01 02:28 developer ~0041949	CVE request sent http://thread.gmane.org/gmane.comp.security.oss.general/14956

MantisBT: master-1.2.x 0bff06ec 2014-10-30 14:04 Paul Richards Committer: dregad Details Diff	Fix 0017583: XSS in projax_api.php Offensive Security reported this issue via their bug bounty program [1]. The Projax library does not properly escape html strings. An attacker could take advantage of this to perform an XSS attack using the profile/Platform field. [1] http://www.offensive-security.com/bug-bounty-program/ Signed-off-by: Damien Regad <dregad@mantisbt.org>		Affected Issues 0017583
	mod - core/projax_api.php		Diff File