View Issue Details

IDProjectCategoryView StatusLast Update
0024580mantisbtsecuritypublic2018-09-04 10:55
Reporterom3rcitakAssigned Todregad 
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.1.0 
Target Version2.15.1Fixed in Version2.15.1 
Summary0024580: CVE-2018-13055: Reflected XSS in view filters page
Description

Reported via e-mail by Ömer Çıtak, Security Researcher at Netsparker.

URL: http://{domain}/{mantis_path}/view_filters_page.php/'"--></style></scRipt><scRipt>alert(0x00CB68)</scRipt>
Parameter Name: URI-BASED
Parameter Type: Full URL
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x00CB68)</scRipt>

TagsNo tags attached.

Relationships

related to 0024731 closeddregad CVE-2018-16514: Reflected XSS in view_filters_page.php via core/filter_form_api.php 

Activities

dregad

dregad

2018-07-02 07:35

developer   ~0060208

Confirmed - XSS reproduced in latest master MantisBT master 98ea423f (with CSP switched off)

dregad

dregad

2018-07-02 10:02

developer   ~0060209

The root cause is the use of $_SERVER['PHP_SELF'] in https://github.com/mantisbt/mantisbt/blob/release-2.15.0/core/filter_form_api.php#L2396.
This code was introduced as part of the Filter API refactoring MantisBT master 46fddbcb in MantisBT 2.1.0.

A simple workaround would be to call string_sanitize_url(), but I'm wondering if and why we need to use PHP_SELF here.

@cproensa, thoughts ?

dregad

dregad

2018-07-02 10:12

developer   ~0060210

CVE Request 530974 sent

dregad

dregad

2018-07-04 09:23

developer   ~0060212

CVE-2018-13055 assigned

dregad

dregad

2018-07-04 09:47

developer   ~0060213

Proposed fix per 0024580:0060209. Please test and confirm that it does fix the issue.



0001-Fix-XSS-in-filter_form_draw_inputs-CVE-2018-13055.patch (1,210 bytes)
From 1ffc2e3ed3e5958fc1d7f323b9346a35e22ce96d Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Wed, 4 Jul 2018 15:29:54 +0200
Subject: [PATCH] Fix XSS in filter_form_draw_inputs() (CVE-2018-13055)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Ömer Çıtak, Security Researcher at Netsparker, reported this
vulnerability, allowing remote attackers to inject arbitrary code
(if CSP settings permit it) through a crafted PATH_INFO on
view_filters_page.php.

Prevent the attack by sanitizing the output of $_SERVER['PHP_SELF']
before display.

Fixes #24580
---
 core/filter_form_api.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/core/filter_form_api.php b/core/filter_form_api.php
index 8baa008a5..05d5c39e1 100644
--- a/core/filter_form_api.php
+++ b/core/filter_form_api.php
@@ -2394,6 +2394,7 @@ function filter_form_draw_inputs( $p_filter, $p_for_screen = true, $p_static = f
 
 	if( null === $p_static_fallback_page ) {
 		$p_static_fallback_page = $_SERVER['PHP_SELF'];
+		$p_static_fallback_page = string_sanitize_url( $_SERVER['PHP_SELF'] );
 	}
 	$t_filters_url = $p_static_fallback_page;
 	$t_get_params = $_GET;
-- 
2.16.2

cproensa

cproensa

2018-07-05 13:06

developer   ~0060219

@cproensa, thoughts ?
Proposed fix per 0024580:0060209. Please test and confirm that it does fix the issue.

Looks good, i cannot test at the moment
The self page is a "reload" link for populating the filter options when javascript is disabled.

atrol

atrol

2018-07-05 17:10

developer   ~0060220

The patch fixes the XSS issue, but is this the filter section you expect to see?



FilterXSS.png (290,802 bytes)
FilterXSS.png (290,802 bytes)

Related Changesets

MantisBT: master-2.15 4efac90e

2018-07-04 09:29:54

dregad


Committer: atrol Details Diff
Fix XSS in filter_form_draw_inputs() (CVE-2018-13055)

Ömer Çıtak, Security Researcher at Netsparker, reported this
vulnerability, allowing remote attackers to inject arbitrary code
(if CSP settings permit it) through a crafted PATH_INFO on
view_filters_page.php.

Prevent the attack by sanitizing the output of $_SERVER['PHP_SELF']
before display.

Fixes 0024580
Affected Issues
0024580
mod - core/filter_form_api.php Diff File

Issue History

Date Modified Username Field Change
2018-07-02 07:17 dregad New Issue
2018-07-02 07:35 dregad Note Added: 0060208
2018-07-02 07:35 dregad Status new => confirmed
2018-07-02 07:35 dregad Description Updated View Revisions
2018-07-02 07:36 dregad Description Updated View Revisions
2018-07-02 07:36 dregad Description Updated View Revisions
2018-07-02 09:12 dregad Reporter dregad => om3rcitak
2018-07-02 10:02 dregad Product Version 2.11.1 => 2.1.0
2018-07-02 10:02 dregad Note Added: 0060209
2018-07-02 10:12 dregad Note Added: 0060210
2018-07-04 09:23 dregad Summary Reflected XSS in view filters page => CVE-2018-13055: Reflected XSS in view filters page
2018-07-04 09:23 dregad Note Added: 0060212
2018-07-04 09:47 dregad File Added: 0001-Fix-XSS-in-filter_form_draw_inputs-CVE-2018-13055.patch
2018-07-04 09:47 dregad Note Added: 0060213
2018-07-05 13:06 cproensa Note Added: 0060219
2018-07-05 17:10 atrol File Added: FilterXSS.png
2018-07-05 17:10 atrol Note Added: 0060220
2018-07-23 16:55 atrol Changeset attached => MantisBT master-2.15 4efac90e
2018-07-23 16:55 dregad Assigned To => dregad
2018-07-23 16:55 dregad Status confirmed => resolved
2018-07-23 16:55 dregad Resolution open => fixed
2018-07-23 16:55 dregad Fixed in Version => 2.15.1
2018-07-30 00:57 vboctor Status resolved => closed
2018-07-30 01:11 vboctor View Status private => public
2018-09-04 10:55 dregad Relationship added related to 0024731