View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0022568 | mantisbt | security | public | 2017-03-22 16:42 | 2017-04-01 00:13 |
Reporter | YelinAndZhangdongsheng | Assigned To | dregad | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.3.0-beta.1 | ||||
Target Version | 1.3.9 | Fixed in Version | 1.3.9 | ||
Summary | 0022568: CVE-2017-7241: XSS in move_attachments_page.php | ||||
Description | Cross-Site Scripting Vulnerability in 'move_attachments_page.php' page. The admin/move_attachments_page.php page 'type' parameter in MantisBT is vulnerable to a cross-site scripting vulnerability when Javascript is supplied via GET or POST request. The exploitation example below uses the "alert()" JavaScript function to display "XSS" word. | ||||
Steps To Reproduce | Install the latest Mantisbt with all default settings. Log in as administrator Unexpected result: | ||||
Additional Information | You are highly appreciated to confirm and log a CVE for this issue. | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Issue introduced in 1.3.0-beta.1 MantisBT master 8b29d42b Edit: actually, first affected version is 1.2.16 MantisBT master-1.2.x 6da8b234 |
|
CVE Request 310067 |
|
@YelinAndZhangdongsheng please find attached a patch that I believe will addresses the issue, and kindly confirm that it does for you as well. 0001-Fix-XSS-in-move_attachments_page.php.patch (1,225 bytes)
From 2b9c1ad16c063ec97a298b877631b75d8a6d5922 Mon Sep 17 00:00:00 2001 From: Damien Regad <dregad@mantisbt.org> Date: Fri, 24 Mar 2017 17:02:07 +0100 Subject: [PATCH] Fix XSS in move_attachments_page.php Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/ reported a vulnerability in the Move Attachments admin page, allowing an attacker to inject arbitrary code through a crafted 'type' parameter. Sanitize the 'type' parameter prior to output, to ensure HTML special characters are properly escaped. Fixes #22568 --- admin/move_attachments_page.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/admin/move_attachments_page.php b/admin/move_attachments_page.php index c7c806e..96dfe35 100644 --- a/admin/move_attachments_page.php +++ b/admin/move_attachments_page.php @@ -188,7 +188,7 @@ if( isset( $t_projects[ALL_PROJECTS] ) ) { </table> <div class="widget-toolbox padding-8 clearfix"> - <input name="type" type="hidden" value="<?php echo $f_file_type ?>" /> + <input name="type" type="hidden" value="<?php echo string_attribute( $f_file_type); ?>" /> <input type="submit" class="btn btn-primary btn-white btn-round" value="Move Attachments" /> </div> </div> -- 2.7.4 |
|
Oh and one more thing, it would be nice of you to tell us if you are still researching additional security issues in MantisBT, and expect to be filing additional issues in the next few days. If so, we would postpone releasing the new versions until you're done, to reduce our overhead in preparing the releases. Thanks in advance for your understanding. |
|
Thanks for the prompt proceeding. We do not linger to gather security issues to keep them, but walk on, Bests, |
|
@dregad |
|
OSS-security mailing list announcement http://www.openwall.com/lists/oss-security/2017/03/30/4 |
|
MantisBT: master-1.3.x d31841c8 2017-03-24 08:02 Details Diff |
Fix XSS in move_attachments_page.php Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/ reported a vulnerability in the Move Attachments admin page, allowing an attacker to inject arbitrary code through a crafted 'type' parameter. Sanitize the 'type' parameter prior to output, to ensure HTML special characters are properly escaped. Fixes 0022568 Backported from 2.2.x ecef0e9b523a460709e8feedfce72f05bb30b992 Conflicts: admin/move_attachments_page.php |
Affected Issues 0022568 |
|
mod - admin/move_attachments_page.php | Diff File | ||
MantisBT: master-2.1 2d55c647 2017-03-24 08:02 Details Diff |
Fix XSS in move_attachments_page.php Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/ reported a vulnerability in the Move Attachments admin page, allowing an attacker to inject arbitrary code through a crafted 'type' parameter. Sanitize the 'type' parameter prior to output, to ensure HTML special characters are properly escaped. Fixes 0022568 |
Affected Issues 0022568 |
|
mod - admin/move_attachments_page.php | Diff File | ||
MantisBT: master-2.2 ecef0e9b 2017-03-24 08:02 Details Diff |
Fix XSS in move_attachments_page.php Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/ reported a vulnerability in the Move Attachments admin page, allowing an attacker to inject arbitrary code through a crafted 'type' parameter. Sanitize the 'type' parameter prior to output, to ensure HTML special characters are properly escaped. Fixes 0022568 |
Affected Issues 0022568 |
|
mod - admin/move_attachments_page.php | Diff File |