View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0024580 | mantisbt | security | public | 2018-07-02 07:17 | 2018-09-04 10:55 |
Reporter | om3rcitak | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2.1.0 | ||||
Target Version | 2.15.1 | Fixed in Version | 2.15.1 | ||
Summary | 0024580: CVE-2018-13055: Reflected XSS in view filters page | ||||
Description | Reported via e-mail by Ömer Çıtak, Security Researcher at Netsparker. URL: | ||||
Tags | No tags attached. | ||||
Confirmed - XSS reproduced in latest master MantisBT master 98ea423f (with CSP switched off) |
|
The root cause is the use of A simple workaround would be to call string_sanitize_url(), but I'm wondering if and why we need to use PHP_SELF here. @cproensa, thoughts ? |
|
CVE Request 530974 sent |
|
CVE-2018-13055 assigned |
|
Proposed fix per 0024580:0060209. Please test and confirm that it does fix the issue.
0001-Fix-XSS-in-filter_form_draw_inputs-CVE-2018-13055.patch (1,210 bytes)
From 1ffc2e3ed3e5958fc1d7f323b9346a35e22ce96d Mon Sep 17 00:00:00 2001 From: Damien Regad <dregad@mantisbt.org> Date: Wed, 4 Jul 2018 15:29:54 +0200 Subject: [PATCH] Fix XSS in filter_form_draw_inputs() (CVE-2018-13055) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ömer Çıtak, Security Researcher at Netsparker, reported this vulnerability, allowing remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted PATH_INFO on view_filters_page.php. Prevent the attack by sanitizing the output of $_SERVER['PHP_SELF'] before display. Fixes #24580 --- core/filter_form_api.php | 1 + 1 file changed, 1 insertion(+) diff --git a/core/filter_form_api.php b/core/filter_form_api.php index 8baa008a5..05d5c39e1 100644 --- a/core/filter_form_api.php +++ b/core/filter_form_api.php @@ -2394,6 +2394,7 @@ function filter_form_draw_inputs( $p_filter, $p_for_screen = true, $p_static = f if( null === $p_static_fallback_page ) { $p_static_fallback_page = $_SERVER['PHP_SELF']; + $p_static_fallback_page = string_sanitize_url( $_SERVER['PHP_SELF'] ); } $t_filters_url = $p_static_fallback_page; $t_get_params = $_GET; -- 2.16.2 |
|
Looks good, i cannot test at the moment |
|
The patch fixes the XSS issue, but is this the filter section you expect to see? |
|
MantisBT: master-2.15 4efac90e 2018-07-04 09:29:54 Committer: atrol Details Diff |
Fix XSS in filter_form_draw_inputs() (CVE-2018-13055) Ömer Çıtak, Security Researcher at Netsparker, reported this vulnerability, allowing remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted PATH_INFO on view_filters_page.php. Prevent the attack by sanitizing the output of $_SERVER['PHP_SELF'] before display. Fixes 0024580 |
Affected Issues 0024580 |
|
mod - core/filter_form_api.php | Diff File |
Date Modified | Username | Field | Change |
---|---|---|---|
2018-07-02 07:17 | dregad | New Issue | |
2018-07-02 07:35 | dregad | Note Added: 0060208 | |
2018-07-02 07:35 | dregad | Status | new => confirmed |
2018-07-02 07:35 | dregad | Description Updated | View Revisions |
2018-07-02 07:36 | dregad | Description Updated | View Revisions |
2018-07-02 07:36 | dregad | Description Updated | View Revisions |
2018-07-02 09:12 | dregad | Reporter | dregad => om3rcitak |
2018-07-02 10:02 | dregad | Product Version | 2.11.1 => 2.1.0 |
2018-07-02 10:02 | dregad | Note Added: 0060209 | |
2018-07-02 10:12 | dregad | Note Added: 0060210 | |
2018-07-04 09:23 | dregad | Summary | Reflected XSS in view filters page => CVE-2018-13055: Reflected XSS in view filters page |
2018-07-04 09:23 | dregad | Note Added: 0060212 | |
2018-07-04 09:47 | dregad | File Added: 0001-Fix-XSS-in-filter_form_draw_inputs-CVE-2018-13055.patch | |
2018-07-04 09:47 | dregad | Note Added: 0060213 | |
2018-07-05 13:06 | cproensa | Note Added: 0060219 | |
2018-07-05 17:10 | atrol | File Added: FilterXSS.png | |
2018-07-05 17:10 | atrol | Note Added: 0060220 | |
2018-07-23 16:55 | atrol | Changeset attached | => MantisBT master-2.15 4efac90e |
2018-07-23 16:55 | dregad | Assigned To | => dregad |
2018-07-23 16:55 | dregad | Status | confirmed => resolved |
2018-07-23 16:55 | dregad | Resolution | open => fixed |
2018-07-23 16:55 | dregad | Fixed in Version | => 2.15.1 |
2018-07-30 00:57 | vboctor | Status | resolved => closed |
2018-07-30 01:11 | vboctor | View Status | private => public |
2018-09-04 10:55 | dregad | Relationship added | related to 0024731 |