View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0024608mantisbtsecuritypublic2018-07-13 08:442018-07-30 01:11
Reporterteunb Assigned Toatrol  
PrioritynormalSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version2.1.0 
Target Version2.15.1Fixed in Version2.15.1 
Summary0024608: CVE-2018-14504: XSS in edit filters page
Description

If I save a filter and name it something like:

foobar" onclick="alert(1)

the onclick is rendered as html if I go to the edit filter page under manage filters(manage_filter_edit_page.php from manage_filter_page.php). Since CSP headers are set correctly this is not an immediate issue, but still one you probably want to fix in case someone finds some creative way to get around that.

TagsNo tags attached.
Attached Files

Activities

atrol

atrol

2018-07-13 09:22

developer   ~0060263

Thanks @teunb for reporting this issue.

Please check if applying the attached patch fixes the issue.

24608-xss.patch (1,026 bytes)    
From 9426c94d7bddeff10c8058471b0cfaef6e4fb60f Mon Sep 17 00:00:00 2001
From: Roland Becker <roland@atrol.de>
Date: Fri, 13 Jul 2018 15:18:46 +0200
Subject: [PATCH] Fix XSS vulnerability on filter edit page

Fixes #24608
---
 manage_filter_edit_page.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manage_filter_edit_page.php b/manage_filter_edit_page.php
index 074ca14bd..9478d059c 100644
--- a/manage_filter_edit_page.php
+++ b/manage_filter_edit_page.php
@@ -124,7 +124,7 @@ $t_filter_project_id = filter_get_field( $f_filter_id, 'project_id' );
 						<div class="form-inline">
 							<label>
 								<?php echo lang_get( 'query_name' ) ?>&nbsp;
-								<input type="text" size="25" name="filter_name" maxlength="64" value="<?php echo filter_get_field( $f_filter_id, 'name' ) ?>">
+								<input type="text" size="25" name="filter_name" maxlength="64" value="<?php echo string_display_line( filter_get_field( $f_filter_id, 'name' ) ) ?>">
 							</label>
 						</div>
 					</div>
-- 
2.18.0
24608-xss.patch (1,026 bytes)   
teunb

teunb

2018-07-13 09:41

reporter   ~0060265

Unfortunately I'm not the one who manages the mantis instance I tested this on, so I can't test if the patch fixes things without deploying an entirely new mantis instance somewhere on a server that I do manage. The code looks like it should fix the issue though.
dregad

dregad

2018-07-21 11:43

developer   ~0060290

I updated the product and target versions. Note: I don't have time to actually test and confirm whether 2.1.0 is actually the earliest affected release, this is just an assumption based on the fact that there was a major refactoring of the filters, which most likely introduced this vulnerability.
dregad

dregad

2018-07-21 12:01

developer   ~0060291

CVE Request 541329 sent.

@teunb let me know if you would like to be credited for the finding, and if so, how (full name, company, e-mail, web site, etc)
teunb

teunb

2018-07-21 17:29

reporter   ~0060295

@dregad credit by full name only is fine: Teun Beijers.

Thanks for fixing this bug in a timely manner!
atrol

atrol

2018-07-22 15:24

developer   ~0060300

CVE-2018-14504 assigned

Related Changesets

MantisBT: master-2.15 8b5fa243

2018-07-13 05:18

atrol


Details Diff		 Fix XSS on filter edit page (CVE-2018-14504)

Teun Beijers reported a cross-site scripting (XSS) vulnerability in
the Edit Filter page which allows execution of arbitrary code
(if CSP settings permit it) when displaying a filter with a crafted
name.

Prevent the attack by sanitizing the filter name before display.

Fixes 0024608		 Affected Issues
0024608
mod - manage_filter_edit_page.php Diff File