0022579: CVE-2017-7309: XSS in adm_config_report.php - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0022579	mantisbt	security	public	2017-03-25 03:23	2017-04-01 00:13

Reporter	YelinAndZhangdongsheng	Assigned To	dregad
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.3.0-rc.2
Target Version	1.3.9	Fixed in Version	1.3.9

Summary	0022579: CVE-2017-7309: XSS in adm_config_report.php
Description	Cross-Site Scripting Vulnerability in 'adm_config_report.php' page. The /adm_config_report.php page 'config_option' parameter in MantisBT is vulnerable to a cross-site scripting vulnerability when Javascript is supplied via GET or POST request. The exploitation example below uses the "alert()" JavaScript function to display "XSS" word.
Steps To Reproduce	Install the latest Mantisbt with all default settings. Log in as administrator Navigate to the URL: http://mantisServer/adm_config_report.php?config_option="><script>alert('XSSVenusTech')</script> Unexpected result: There is a popup wizard saying 'XSSVenusTech'
Additional Information	You are highly appreciated to confirm and log a CVE for this issue. Reporter: Yelin and Zhangdongsheng from VenusTech (http://www.venustech.com.cn)
Tags	No tags attached.
Attached Files

dregad 2017-03-25 07:26 developer ~0056194 Last edited: 2017-03-25 10:27	Introduced as part of MantisBT master 13bda674 (issue 0020058)

dregad 2017-03-29 12:32 developer ~0056266	CVE Request 313160

dregad 2017-03-30 11:44 developer ~0056280	@YelinAndZhangdongsheng the attached patch (for 1.3.0 and 2.2 branches) resolves the issue. 0001-Fix-XSS-in-adm_config_report.php.patch-1.3.x (1,243 bytes) 0001-Fix-XSS-in-adm_config_report.php.patch-2.x (1,300 bytes)

YelinAndZhangdongsheng 2017-03-30 22:04 reporter ~0056293	Yes. Neat fix. We confirmed the output escaping counteracted this 'config_option' attack vector. Bests, Yelin and Zhangdongsheng

dregad 2017-03-31 03:58 developer ~0056294	Thanks for the feedback. FYI, I announced the CVE's on the Open-Source Security mailing list last night. http://www.openwall.com/lists/oss-security/2017/03/30/4

MantisBT: master-1.3.x c9e5b1d0 2017-03-25 06:23 dregad Details Diff	Fix XSS in adm_config_report.php Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/ reported a vulnerability in the Configuration Report page, allowing an attacker to inject arbitrary code through a crafted 'config_option' parameter. Sanitize the parameter prior to output, to ensure HTML special characters are properly escaped. Fixes 0022579		Affected Issues 0022579
	mod - adm_config_report.php		Diff File
MantisBT: master-2.1 0243375e 2017-03-25 06:23 dregad Details Diff	Fix XSS in adm_config_report.php Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/ reported a vulnerability in the Configuration Report page, allowing an attacker to inject arbitrary code through a crafted 'config_option' parameter. Sanitize the parameter prior to output, to ensure HTML special characters are properly escaped. Ported from 1.3.x commit c9e5b1d0404503022605459552faeaf610bf15ae. Fixes 0022579		Affected Issues 0022579
	mod - adm_config_report.php		Diff File
MantisBT: master-2.2 e881dd79 2017-03-25 06:23 dregad Details Diff	Fix XSS in adm_config_report.php Yelin and Zhangdongsheng from VenusTech http://www.venustech.com.cn/ reported a vulnerability in the Configuration Report page, allowing an attacker to inject arbitrary code through a crafted 'config_option' parameter. Sanitize the parameter prior to output, to ensure HTML special characters are properly escaped. Ported from 1.3.x commit c9e5b1d0404503022605459552faeaf610bf15ae. Fixes 0022579		Affected Issues 0022579
	mod - adm_config_report.php		Diff File