0024186: CVE-2018-1000162: XSS vulnerability in Parsedown library - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0024186	mantisbt	security	public	2018-03-29 07:36	2018-04-13 08:34

Reporter	dregad	Assigned To	dregad
Priority	high	Severity	major	Reproducibility	have not tried
Status	closed	Resolution	fixed
Product Version	2.1.0
Target Version	2.12.1	Fixed in Version	2.12.1

Summary	0024186: CVE-2018-1000162: XSS vulnerability in Parsedown library
Description	Parsedown 1.6.x is vulnerable to XSS attacks https://github.com/erusev/parsedown/issues/497 https://github.com/erusev/parsedown/issues/530 https://github.com/erusev/parsedown/pull/495 This was fixed in 1.7.0 on 28-Feb-2018; 1.7.1 was released a few days later including a few additional bug fixes.
Additional Information	Some changes will be required on MantisBT side, e.g. `$Parsedown->setSafeMode(true);` to ensure we're protected against link-based XSS (see discussion in https://github.com/erusev/parsedown/pull/495)
Tags	No tags attached.
Attached Files

atrol 2018-03-29 08:13 developer ~0059346 Last edited: 2018-03-29 08:23	@dregad, I recomment to wait a bit (at least 1.7.2) until 1.7.x is stabilized. After there did hardly happen anything with parsedown for quite a long time, the new contributor/maintainer `aidantwoods` changed quite a lot in 1.7.0 and 1.7.1.

dregad 2018-03-29 09:04 developer ~0059348 Last edited: 2018-03-29 09:05	I recomment to wait a bit (at least 1.7.2) until 1.7.x is stabilized. I don't see any reason to delay - this is a security issue that is affecting us today and for which a fix is available. It would be silly not to patch it ASAP.

dregad 2018-03-29 09:10 developer ~0059349	Proposed patch as attachment for review, to avoid public disclosure in a pull request 24186.patch (2,842 bytes) diff --cc composer.json index 179cae1,179cae1..f634264 --- a/composer.json +++ b/composer.json @@@ -8,7 -8,7 +8,7 @@@ "vboctor/disposable_email_checker": "^3.0", "adodb/adodb-php": "^5.20", "phpmailer/phpmailer": "^5.2.22", -- "erusev/parsedown": "^1.7.0", ++ "erusev/parsedown": "^1.6", "dapphp/securimage": "dev-mantis" }, "require-dev": { diff --cc composer.lock index 8f44439,8f44439..9879157 --- a/composer.lock +++ b/composer.lock @@@ -4,7 -4,7 +4,7 @@@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "This file is @generated automatically" ], -- "content-hash": "493a9911b0f5109b5f4b73997648e7be", ++ "content-hash": "acd102d3211c0308e763376e7be54d78", "packages": [ { "name": "adodb/adodb-php", @@@ -142,25 -142,25 +142,21 @@@ }, { "name": "erusev/parsedown", -- "version": "1.7.1", ++ "version": "1.6.3", "source": { "type": "git", "url": "https://github.com/erusev/parsedown.git", -- "reference": "92e9c27ba0e74b8b028b111d1b6f956a15c01fc1" ++ "reference": "728952b90a333b5c6f77f06ea9422b94b585878d" }, "dist": { "type": "zip", -- "url": "https://api.github.com/repos/erusev/parsedown/zipball/92e9c27ba0e74b8b028b111d1b6f956a15c01fc1", -- "reference": "92e9c27ba0e74b8b028b111d1b6f956a15c01fc1", ++ "url": "https://api.github.com/repos/erusev/parsedown/zipball/728952b90a333b5c6f77f06ea9422b94b585878d", ++ "reference": "728952b90a333b5c6f77f06ea9422b94b585878d", "shasum": "" }, "require": { -- "ext-mbstring": "", "php": ">=5.3.0" }, -- "require-dev": { -- "phpunit/phpunit": "^4.8.35" -- }, "type": "library", "autoload": { "psr-0": { @@@ -184,7 -184,7 +180,7 @@@ "markdown", "parser" ], -- "time": "2018-03-08T01:11:30+00:00" ++ "time": "2017-05-14T14:47:48+00:00" }, { "name": "guzzlehttp/guzzle", diff --cc plugins/MantisCoreFormatting/core/MantisMarkdown.php index 6d96174,e937edd..18958bb --- a/plugins/MantisCoreFormatting/core/MantisMarkdown.php +++ b/plugins/MantisCoreFormatting/core/MantisMarkdown.php @@@ -66,9 -66,9 +66,6 @@@ class MantisMarkdown extends Parsedow # set the table class $this->table_class = 'table table-nonfluid'; -- -- # XSS protection -- $this->setSafeMode( true ); } /* 24186.patch (2,842 bytes)

vboctor 2018-03-30 18:49 manager ~0059376	@dregad I'm OK with the fix to make its way to 2.12.1. Seems like you have a reverse patch in 0024186:0059349 "ext-mbstring": "*", Why is this added?

dregad 2018-03-30 19:02 developer ~0059377 Last edited: 2018-03-30 19:08	Seems like you have a reverse patch in 0024186:0059349 Yes, I made a mistake in the git format-patch command. "ext-mbstring": "*", Why is this added? That comes from parsedown's composer.json - details on why it was added is here: https://github.com/erusev/parsedown/pull/561 Not a problem for us, as we also require it http://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.install.requirements.software

dregad 2018-04-13 07:16 developer ~0059562	CVE-2018-1000162 assigned https://github.com/erusev/parsedown/issues/590

dregad 2018-04-13 08:34 developer ~0059563	Changing title and creating a child issue to track the Parsedown library update (0024297) separately, as it is effectively just a pre-requisite to the actual fix for the XSS (i.e. enabling safe mode)

MantisBT: master-2.12 518d7529 2018-03-29 04:16 dregad Details Diff	Update Parsedown to 1.7.1 - Set minimum required version to 1.7.0 in composer.json - Run composer update - Updating erusev/parsedown (1.6.3 => 1.7.1) Fixes 0024186		Affected Issues 0024186, 0024297
	mod - composer.json		Diff File
	mod - composer.lock		Diff File
MantisBT: master-2.12 a5e043f0 2018-03-29 04:49 dregad Details Diff	Enable Parsedown Safe Mode for XSS protection Fixes 0024186		Affected Issues 0024186
	mod - plugins/MantisCoreFormatting/core/MantisMarkdown.php		Diff File