0022742: CVE-2017-7897: XSS in timeline_inc.php (affects my_view_page.php and view_user_page.php)

ID	Project	Category	View Status	Date Submitted	Last Update
0022742	mantisbt	security	public	2017-04-18 10:35	2017-04-30 14:48

Reporter	dregad	Assigned To	dregad
Priority	high	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.3.0
Target Version	2.3.2	Fixed in Version	2.3.2

Summary	0022742: CVE-2017-7897: XSS in timeline_inc.php (affects my_view_page.php and view_user_page.php)
Description	`$_SERVER['PHP_SELF']` is not sanitized before being used to generate URLs. Yes, we have a CSP policy in place, but it can be disabled optionally per application config, and does not include prefixed headers so IE 10/11 would be susceptible as they use X-Content-Security-Policy according to CanIUse.
Steps To Reproduce	Navigate to `/view_user_page.php/"><script>alert(1)</script><x` `/my_view_page.php/"><script>alert(1)</script><x`
Additional Information	Initially reported by user quantumpacket in https://github.com/mantisbt/mantisbt/pull/1094
Tags	No tags attached.

MantisBT: master-2.3 a1c71931 2017-04-18 07:49 dregad Details Diff	Fix XSS in timeline_inc.php Use of $_SERVER['PHP_SELF'] and outputting it as-is allows an attacker to inject arbitrary JavaScript as part of the URL. Using SCRIPT_NAME and passing it through string_sanitize_url() instead prevents the attack. Fixes 0022742 Fixes https://github.com/mantisbt/mantisbt/pull/1094		Affected Issues 0022742
	mod - core/timeline_inc.php		Diff File

dregad 2017-04-18 10:36 developer ~0056608	Introduced in 2.3.0 - MantisBT master e2d1de8a

dregad 2017-04-18 12:44 developer ~0056611	CVE Request 321514