View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0022497 | mantisbt | security | public | 2017-03-08 04:21 | 2017-03-30 02:33 |
Reporter | elandais | Assigned To | dregad | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2.1.0 | ||||
Target Version | 2.2.1 | Fixed in Version | 2.2.1 | ||
Summary | 0022497: CVE-2017-6799: XSS in view_filters_page.php | ||||
Description | Cross-Site Scripting Vulnerability in 'view_filters_page.php' page. The /view_filters_page.php page 'view_type' parameter in MantisBT is vulnerable to a cross-site scripting vulnerability when Javascript is supplied via GET or POST request. The exploitation example below uses the "alert()" JavaScript function to display "XSS" word. | ||||
Steps To Reproduce | REQUEST : GET /view_filters_page.php?view_type=closev2lx8%22%3E%3Cscript%3Ealert%28%22Test%20SLCC%22%29%3C%2fscript%3Eyrcxai8ja1g Parameters : | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
@elandais, thanks for helping in enhancing MantisBT security. Please set |
|
This issue is present since 1.0.0 (MantisBT master bf18ac3d) |
|
Actually taking back what I just said - this was in fact introduced in MantisBT master 46fddbcb (2.1.0) when that line which guaranteed that the variable could only contain controlled text, was removed as part of refactoring the filter API. Fixing the XSS is quite straightforward (adding a string_attribute() call prior to displaying $f_view_type), but before I do that, @cproensa I would appreciate your feedback, maybe outputting |
|
@dregad |
|
Thanks for the feedback @cproensa. Patch is attached. 0001-Fix-XSS-in-view_filters_page.php.patch (1,084 bytes)
From f8674d34d36aff25e0ab050e5114170255e40fd3 Mon Sep 17 00:00:00 2001 From: Damien Regad <dregad@mantisbt.org> Date: Fri, 10 Mar 2017 00:24:51 +0100 Subject: [PATCH] Fix XSS in view_filters_page.php The value of the view_type parameter was not sanitized before being displayed as a hidden input. This vulnerability was reported by Etienne Landais. Fixes #22497 --- view_filters_page.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/view_filters_page.php b/view_filters_page.php index bccf4b0..5d80768 100644 --- a/view_filters_page.php +++ b/view_filters_page.php @@ -105,7 +105,7 @@ $t_filter = filter_ensure_valid_filter( $t_filter ); <?php # CSRF protection not required here - form does not result in modifications ?> <input type="hidden" name="type" value="1" /> - <input type="hidden" name="view_type" value="<?php echo $f_view_type; ?>" /> + <input type="hidden" name="view_type" value="<?php echo $t_filter['_view_type']; ?>" /> <?php if( $f_for_screen == false ) { print '<input type="hidden" name="print" value="1" />'; -- 1.9.1 |
|
CVE Request 304594 for CVE ID Request sent |
|
MantisBT: master-2.2 16772514 2017-03-09 13:24 Details Diff |
Fix XSS in view_filters_page.php The value of the view_type parameter was not sanitized before being displayed as a hidden input. This vulnerability was reported by Etienne Landais. Fixes 0022497 |
Affected Issues 0022497 |
|
mod - view_filters_page.php | Diff File | ||
MantisBT: master-2.1 f2f85619 2017-03-09 13:24 Details Diff |
Fix XSS in view_filters_page.php The value of the view_type parameter was not sanitized before being displayed as a hidden input. This vulnerability was reported by Etienne Landais. Fixes 0022497 |
Affected Issues 0022497 |
|
mod - view_filters_page.php | Diff File |