View Issue Details

IDProjectCategoryView StatusLast Update
0024731mantisbtsecuritypublic2018-09-25 04:19
ReportergeeknikAssigned Todregad 
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version 
Target Version2.17.1Fixed in Version2.17.1 
Summary0024731: CVE-2018-16514: Reflected XSS in view_filters_page.php via core/filter_form_api.php
Description

On sites that do not have CORS security headers or poorly-configured CORS headers (or for users of Internet Explorer 10, 11 and maybe Edge?), there exists a reflected XSS flaw in view_filters_page.php, which I believe is enabled by bad code in core/filter_form_api.php starting at Line 0002779: https://github.com/mantisbt/mantisbt/blob/006cd0cd90c37097e1a065fd3e59ce2534490834/core/filter_form_api.php#L2779

On sites that do have properly configured CORS headers (and browsers that care about CORS headers), this will show up in the Firefox web console:
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src”). Source: onmouseover attribute on A element.

Even still, the code is still reflected back across the TD cells despite the browser refusing to execute it:
<tr><td class="small-caption category ">/bugs/view_filters_page.php/

Steps To Reproduce

https://mantisbt.org/bugs/view_filters_page.php/&quot;onmouseover%3d'prompt(1)'bad%3d&quot;

Additional Information

I've attached a screenshot showing the flaw being reproduced on this very site with IE 11.0.9600.19100.

TagsNo tags attached.

Relationships

related to 0024580 closeddregad CVE-2018-13055: Reflected XSS in view filters page 

Activities

geeknik

geeknik

2018-09-03 15:26

reporter   ~0060596

Screenshot.



dregad

dregad

2018-09-04 04:36

developer   ~0060597

Thanks for the detailed bug report. We will look into it.

Did you request a CVE for this ? If not, should we take care of it ? How would you like to be credited for the finding ?

dregad

dregad

2018-09-04 11:10

developer   ~0060598

This is very similar to 0024580 - the attack vector is slightly different (onmouseover)

dregad

dregad

2018-09-04 11:27

developer   ~0060599

I can reproduce the problem. It is indeed the same root cause as 0024580, i.e. use of $_SERVER['PHP_SELF'] to specify the fallback page. Unfortunately the earlier fix (calling string_sanitize_url) did not fully address the vulnerability.

It's worth mentioning that the same vulnerability also is also present in manage_filter_edit_page.php :
http://path.to/mantisbt/manage_filter_edit_page.php/%22onmouseover%3d'alert(&quot;XSS&quot;)'bad%3d%22?filter_id=7621

I think we just need to get rid of using PHP_SELF.

dregad

dregad

2018-09-05 06:22

developer   ~0060602

CVE Request 563901 sent to MITRE

dregad

dregad

2018-09-05 08:12

developer   ~0060603

Proposed fix, please review



0001-Use-SCRIPT_NAME-instead-of-PHP_SELF.patch (1,104 bytes)
From 66091a42626631a3063774eb0fb8a4218ab22fd4 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Wed, 5 Sep 2018 01:39:06 +0200
Subject: [PATCH] Use SCRIPT_NAME instead of PHP_SELF

Fix XSS in view_filters_page.php and manage_filter_edit_page.php

Fixes #24731
---
 core/filter_form_api.php | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/core/filter_form_api.php b/core/filter_form_api.php
index 05d5c39e1..7b38752fd 100644
--- a/core/filter_form_api.php
+++ b/core/filter_form_api.php
@@ -2393,10 +2393,9 @@ function filter_form_draw_inputs( $p_filter, $p_for_screen = true, $p_static = f
 	}
 
 	if( null === $p_static_fallback_page ) {
-		$p_static_fallback_page = $_SERVER['PHP_SELF'];
-		$p_static_fallback_page = string_sanitize_url( $_SERVER['PHP_SELF'] );
+		$p_static_fallback_page = $_SERVER['SCRIPT_NAME'];
 	}
-	$t_filters_url = $p_static_fallback_page;
+	$t_filters_url = helper_mantis_url( $p_static_fallback_page );
 	$t_get_params = $_GET;
 	$t_get_params['for_screen'] = $p_for_screen;
 	$t_get_params['static'] = ON;
-- 
2.16.1.windows.1

atrol

atrol

2018-09-05 09:26

developer   ~0060604

Did a few tests.
Fix looks good, also concerning 0024580:0060220

geeknik

geeknik

2018-09-05 10:06

reporter   ~0060605

dregad, can you credit Brian Carpenter - Geeknik Labs? Thank you.

dregad

dregad

2018-09-05 10:48

developer   ~0060606

CVE-2018-16514 assigned

Related Changesets

MantisBT: master-2.17 66091a42

2018-09-04 19:39:06

dregad

Details Diff
Use SCRIPT_NAME instead of PHP_SELF

Fix XSS in view_filters_page.php and manage_filter_edit_page.php

Fixes 0024731
Affected Issues
0024731
mod - core/filter_form_api.php Diff File

Issue History

Date Modified Username Field Change
2018-09-03 15:25 geeknik New Issue
2018-09-03 15:26 geeknik File Added: Screenshot_2018-09-03_13-51-43.png
2018-09-03 15:26 geeknik Note Added: 0060596
2018-09-04 04:36 dregad Status new => acknowledged
2018-09-04 04:36 dregad Note Added: 0060597
2018-09-04 10:55 dregad Relationship added related to 0024580
2018-09-04 11:10 dregad Note Added: 0060598
2018-09-04 11:27 dregad Status acknowledged => confirmed
2018-09-04 11:27 dregad Note Added: 0060599
2018-09-05 06:22 dregad Note Added: 0060602
2018-09-05 08:12 dregad File Added: 0001-Use-SCRIPT_NAME-instead-of-PHP_SELF.patch
2018-09-05 08:12 dregad Note Added: 0060603
2018-09-05 08:12 dregad Assigned To => dregad
2018-09-05 08:12 dregad Status confirmed => assigned
2018-09-05 09:26 atrol Note Added: 0060604
2018-09-05 10:06 geeknik Note Added: 0060605
2018-09-05 10:48 dregad Summary Reflected XSS in view_filters_page.php via core/filter_form_api.php => CVE-2018-16514: Reflected XSS in view_filters_page.php via core/filter_form_api.php
2018-09-05 10:48 dregad Note Added: 0060606
2018-09-24 02:12 dregad Changeset attached => MantisBT master-2.17 66091a42
2018-09-24 02:12 dregad Status assigned => resolved
2018-09-24 02:12 dregad Resolution open => fixed
2018-09-24 07:01 atrol Fixed in Version => 2.17.1
2018-09-24 07:01 atrol Target Version => 2.17.1
2018-09-25 00:45 vboctor Status resolved => closed
2018-09-25 04:19 dregad View Status private => public