0024580: CVE-2018-13055: Reflected XSS in view filters page - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0024580	mantisbt	security	public	2018-07-02 07:17	2018-09-04 10:55

Reporter	om3rcitak	Assigned To	dregad
Priority	high	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.1.0
Target Version	2.15.1	Fixed in Version	2.15.1

Summary	0024580: CVE-2018-13055: Reflected XSS in view filters page
Description	Reported via e-mail by Ömer Çıtak, Security Researcher at Netsparker. URL: `http://{domain}/{mantis_path}/view_filters_page.php/'"--></style></scRipt><scRipt>alert(0x00CB68)</scRipt>` Parameter Name: URI-BASED Parameter Type: Full URL Attack Pattern: '"--></style></scRipt><scRipt>alert(0x00CB68)</scRipt>
Tags	No tags attached.

dregad 2018-07-02 07:35 developer ~0060208	Confirmed - XSS reproduced in latest master MantisBT master 98ea423f (with CSP switched off)

dregad 2018-07-02 10:02 developer ~0060209	The root cause is the use of `$_SERVER['PHP_SELF']` in https://github.com/mantisbt/mantisbt/blob/release-2.15.0/core/filter_form_api.php#L2396. This code was introduced as part of the Filter API refactoring MantisBT master 46fddbcb in MantisBT 2.1.0. A simple workaround would be to call string_sanitize_url(), but I'm wondering if and why we need to use PHP_SELF here. @cproensa, thoughts ?

dregad 2018-07-02 10:12 developer ~0060210	CVE Request 530974 sent

dregad 2018-07-04 09:23 developer ~0060212	CVE-2018-13055 assigned

dregad 2018-07-04 09:47 developer ~0060213	Proposed fix per 0024580:0060209. Please test and confirm that it does fix the issue. 0001-Fix-XSS-in-filter_form_draw_inputs-CVE-2018-13055.patch (1,210 bytes) From 1ffc2e3ed3e5958fc1d7f323b9346a35e22ce96d Mon Sep 17 00:00:00 2001 From: Damien Regad <dregad@mantisbt.org> Date: Wed, 4 Jul 2018 15:29:54 +0200 Subject: [PATCH] Fix XSS in filter_form_draw_inputs() (CVE-2018-13055) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ömer Çıtak, Security Researcher at Netsparker, reported this vulnerability, allowing remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted PATH_INFO on view_filters_page.php. Prevent the attack by sanitizing the output of $_SERVER['PHP_SELF'] before display. Fixes #24580 --- core/filter_form_api.php \| 1 + 1 file changed, 1 insertion(+) diff --git a/core/filter_form_api.php b/core/filter_form_api.php index 8baa008a5..05d5c39e1 100644 --- a/core/filter_form_api.php +++ b/core/filter_form_api.php @@ -2394,6 +2394,7 @@ function filter_form_draw_inputs( $p_filter, $p_for_screen = true, $p_static = f if( null === $p_static_fallback_page ) { $p_static_fallback_page = $_SERVER['PHP_SELF']; + $p_static_fallback_page = string_sanitize_url( $_SERVER['PHP_SELF'] ); } $t_filters_url = $p_static_fallback_page; $t_get_params = $_GET; -- 2.16.2 0001-Fix-XSS-in-filter_form_draw_inputs-CVE-2018-13055.patch (1,210 bytes)

cproensa 2018-07-05 13:06 developer ~0060219	@cproensa, thoughts ? Proposed fix per 0024580:0060209. Please test and confirm that it does fix the issue. Looks good, i cannot test at the moment The self page is a "reload" link for populating the filter options when javascript is disabled.

atrol 2018-07-05 17:10 developer ~0060220	The patch fixes the XSS issue, but is this the filter section you expect to see? FilterXSS.png (290,802 bytes) FilterXSS.png (290,802 bytes)

MantisBT: master-2.15 4efac90e 2018-07-04 09:29:54 dregad Committer: atrol Details Diff	Fix XSS in filter_form_draw_inputs() (CVE-2018-13055) Ömer Çıtak, Security Researcher at Netsparker, reported this vulnerability, allowing remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted PATH_INFO on view_filters_page.php. Prevent the attack by sanitizing the output of $_SERVER['PHP_SELF'] before display. Fixes 0024580		Affected Issues 0024580
	mod - core/filter_form_api.php		Diff File