View Issue Details

IDProjectCategoryView StatusLast Update
0024608mantisbtsecuritypublic2018-07-30 01:11
ReporterteunbAssigned Toatrol 
PrioritynormalSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version2.1.0 
Target Version2.15.1Fixed in Version2.15.1 
Summary0024608: CVE-2018-14504: XSS in edit filters page
Description

If I save a filter and name it something like:

foobar" onclick="alert(1)

the onclick is rendered as html if I go to the edit filter page under manage filters(manage_filter_edit_page.php from manage_filter_page.php). Since CSP headers are set correctly this is not an immediate issue, but still one you probably want to fix in case someone finds some creative way to get around that.

TagsNo tags attached.

Activities

atrol

atrol

2018-07-13 09:22

developer   ~0060263

Thanks @teunb for reporting this issue.

Please check if applying the attached patch fixes the issue.



24608-xss.patch (1,026 bytes)
From 9426c94d7bddeff10c8058471b0cfaef6e4fb60f Mon Sep 17 00:00:00 2001
From: Roland Becker <roland@atrol.de>
Date: Fri, 13 Jul 2018 15:18:46 +0200
Subject: [PATCH] Fix XSS vulnerability on filter edit page

Fixes #24608
---
 manage_filter_edit_page.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manage_filter_edit_page.php b/manage_filter_edit_page.php
index 074ca14bd..9478d059c 100644
--- a/manage_filter_edit_page.php
+++ b/manage_filter_edit_page.php
@@ -124,7 +124,7 @@ $t_filter_project_id = filter_get_field( $f_filter_id, 'project_id' );
 						<div class="form-inline">
 							<label>
 								<?php echo lang_get( 'query_name' ) ?>&nbsp;
-								<input type="text" size="25" name="filter_name" maxlength="64" value="<?php echo filter_get_field( $f_filter_id, 'name' ) ?>">
+								<input type="text" size="25" name="filter_name" maxlength="64" value="<?php echo string_display_line( filter_get_field( $f_filter_id, 'name' ) ) ?>">
 							</label>
 						</div>
 					</div>
-- 
2.18.0

24608-xss.patch (1,026 bytes)
teunb

teunb

2018-07-13 09:41

reporter   ~0060265

Unfortunately I'm not the one who manages the mantis instance I tested this on, so I can't test if the patch fixes things without deploying an entirely new mantis instance somewhere on a server that I do manage. The code looks like it should fix the issue though.

dregad

dregad

2018-07-21 11:43

developer   ~0060290

I updated the product and target versions. Note: I don't have time to actually test and confirm whether 2.1.0 is actually the earliest affected release, this is just an assumption based on the fact that there was a major refactoring of the filters, which most likely introduced this vulnerability.

dregad

dregad

2018-07-21 12:01

developer   ~0060291

CVE Request 541329 sent.

@teunb let me know if you would like to be credited for the finding, and if so, how (full name, company, e-mail, web site, etc)

teunb

teunb

2018-07-21 17:29

reporter   ~0060295

@dregad credit by full name only is fine: Teun Beijers.

Thanks for fixing this bug in a timely manner!

atrol

atrol

2018-07-22 15:24

developer   ~0060300

CVE-2018-14504 assigned

Related Changesets

MantisBT: master-2.15 8b5fa243

2018-07-13 09:18:46

atrol

Details Diff
Fix XSS on filter edit page (CVE-2018-14504)

Teun Beijers reported a cross-site scripting (XSS) vulnerability in
the Edit Filter page which allows execution of arbitrary code
(if CSP settings permit it) when displaying a filter with a crafted
name.

Prevent the attack by sanitizing the filter name before display.

Fixes 0024608
Affected Issues
0024608
mod - manage_filter_edit_page.php Diff File

Issue History

Date Modified Username Field Change
2018-07-13 08:44 teunb New Issue
2018-07-13 09:22 atrol File Added: 24608-xss.patch
2018-07-13 09:22 atrol Note Added: 0060263
2018-07-13 09:22 atrol Status new => confirmed
2018-07-13 09:41 teunb Note Added: 0060265
2018-07-21 11:43 dregad Severity minor => major
2018-07-21 11:43 dregad Product Version => 2.1.0
2018-07-21 11:43 dregad Target Version => 2.15.1
2018-07-21 11:43 dregad Note Added: 0060290
2018-07-21 12:01 dregad Note Added: 0060291
2018-07-21 17:29 teunb Note Added: 0060295
2018-07-22 15:24 atrol Note Added: 0060300
2018-07-22 15:25 atrol Summary XSS in filters => CVE-2018-14504: XSS in edit filters page
2018-07-23 16:55 atrol Changeset attached => MantisBT master-2.15 8b5fa243
2018-07-23 16:55 atrol Assigned To => atrol
2018-07-23 16:55 atrol Status confirmed => resolved
2018-07-23 16:55 atrol Resolution open => fixed
2018-07-23 16:55 atrol Fixed in Version => 2.15.1
2018-07-30 00:57 vboctor Status resolved => closed
2018-07-30 01:11 vboctor View Status private => public