View Issue Details

IDProjectCategoryView StatusLast Update
0025995mantisbtsecuritypublic2019-08-25 07:07
ReporterKamranSaifullah Assigned Todregad  
PriorityimmediateSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.13.0 
Target Version2.21.2Fixed in Version2.21.2 
Summary0025995: CVE-2019-15074: Stored XSS Vulnerability in Timeline
Description

Hi,

I am Kamran Saifullah an independent security researcher. I have found a vulnerability which is affecting the current version of MantisHub.

The issue is Stored Cross Site Scripting Vulnerability. We can add the attachments with the issue but if an attacker tried to inject javascript in the name of the attachment. The error will be prompted every time user logs into the account and/or tries to refresh the page. It is also possible to steal the user's cookies as well.

Screenshot is attached!

Steps To Reproduce
  1. Create an Issue
  2. Go to that Issue
  3. Create a file with name ("><img src=x onerror=prompt(1);>) with .jpg
  4. Attach the file with the issue.
  5. Go to the home page.
  6. An error will prompt every time page is refreshed and/or user is logged into the account.
Additional Information

none

TagsNo tags attached.

Relationships

related to 0023161 closeddregad Show File Attachment events in Timeline 

Activities

KamranSaifullah

KamranSaifullah

2019-08-14 03:44

reporter  

unnamed.jpg (83,581 bytes)   
unnamed.jpg (83,581 bytes)   
atrol

atrol

2019-08-14 14:49

developer   ~0062572

@dregad I don't have time to provide a proper fix, but changing line 76 of IssueAttachmentTimelineEvent.class.php to something like the following line should fix the issue

                string_html_specialchars ( $this->filename )
atrol

atrol

2019-08-14 15:00

developer   ~0062573

@KamranSaifullah thanks for reporting the issue.

When using standard MantisBT the issue should just occur when using browsers that don't support CSP headers.

@vboctor maybe MantisHub is another story as you might have changed CSP headers.

dregad

dregad

2019-08-15 04:07

developer   ~0062578

Thanks for the heads up @atrol, not sure how I missed that one yesterday. I'll look into it.

@KamranSaifullah thanks for your research and letting us know about this issue. Did you already reserve a CVE for this ? If so, let me know the ID; otherwise I'll take care of it, and let me know how you would like to be credited for the finding.

dregad

dregad

2019-08-15 04:31

developer   ~0062579

  1. Create a file with name ("><img src=x onerror=prompt(1);>) with .jpg

As a side note, creating such a file is not possible under Windows, as \ / : * ? &quot; &lt; > | are not valid characters for file names.

dregad

dregad

2019-08-15 04:43

developer   ~0062580

Introduced by MantisBT master 1f608f6b as part of 0023161

atrol

atrol

2019-08-15 04:51

developer   ~0062581

not sure how I missed that one yesterday

Maybe because the issue has been reported in project Plugin - Time Tracking.
I moved to mantisbt

KamranSaifullah

KamranSaifullah

2019-08-15 05:09

reporter   ~0062582

@dregad no i haven't received any CVE you can proceed and yes you can credit me for that. Looking forward.

dregad

dregad

2019-08-15 05:09

developer   ~0062583

The attached patch fixes the issue. @KamranSaifullah waiting for your confirmation about the CVE (0025995:0062578).

0001-Fix-XSS-on-timeline.patch (1,295 bytes)   
From a61c38bda5bc77e74477f7e9e42cc10c2082adaa Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Thu, 15 Aug 2019 10:53:18 +0200
Subject: [PATCH] Fix XSS on timeline (CVE-2019-xxxx)

Kamran Saifullah reported a stored cross-site scripting (XSS)
vulnerability in Timeline, allowing execution of arbitrary code (if CSP
settings permit it) after uploading an attachment with a crafted
filename. The code is executed for any user having visibility to the
issue, whenever My View Page is displayed.

Prevent the attack by sanitizing the filename before display.

Fixes #25995
---
 core/classes/IssueAttachmentTimelineEvent.class.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/classes/IssueAttachmentTimelineEvent.class.php b/core/classes/IssueAttachmentTimelineEvent.class.php
index 8e0425df4..2a6123d87 100644
--- a/core/classes/IssueAttachmentTimelineEvent.class.php
+++ b/core/classes/IssueAttachmentTimelineEvent.class.php
@@ -73,7 +73,7 @@ class IssueAttachmentTimelineEvent extends TimelineEvent {
 			. sprintf( lang_get( $t_string ),
 				prepare_user_name( $this->user_id ),
 				$t_bug_link,
-				$this->filename
+				string_html_specialchars( $this->filename )
 			)
 			. '</div>';
 		$t_html .= $this->html_end();
-- 
2.19.1.windows.1

0001-Fix-XSS-on-timeline.patch (1,295 bytes)   
KamranSaifullah

KamranSaifullah

2019-08-15 05:09

reporter   ~0062584

@dregad no i haven't received any CVE you can proceed and yes you can credit me for that. Looking forward.

Thank you @atrol and the team for the quick fix :D

dregad

dregad

2019-08-15 05:10

developer   ~0062585

cross-post... OK I'll take care of it.

KamranSaifullah

KamranSaifullah

2019-08-15 05:11

reporter   ~0062586

Last edited: 2019-08-15 05:15

View 2 revisions

Thank you @dregad, i will surely be waiting :))

dregad

dregad

2019-08-15 08:12

developer   ~0062587

CVE Request 741408 sent to MITRE

dregad

dregad

2019-08-15 10:26

developer   ~0062594

CVE-2019-15074 assigned.

KamranSaifullah

KamranSaifullah

2019-08-15 12:39

reporter   ~0062595

Thank you very much @dregad! The CVE shows that it has been assigned/reserved and is not populated yet. Right?

dregad

dregad

2019-08-15 12:59

developer   ~0062596

That's correct. I will inform MITRE to make it public, once we've released 2.21.2 with the patch.
Considering the severity of the bug, it gives our users a chance to update their systems before the CVE goes out.

KamranSaifullah

KamranSaifullah

2019-08-15 13:00

reporter   ~0062597

That's great! This is my first ever CVE. Thank @dregad :D

Related Changesets

MantisBT: master-2.21 9cee1971

2019-08-15 04:53:18

dregad

Details Diff
Fix XSS on timeline (CVE-2019-15074)

Kamran Saifullah reported a stored cross-site scripting (XSS)
vulnerability in Timeline, allowing execution of arbitrary code (if CSP
settings permit it) after uploading an attachment with a crafted
filename. The code is executed for any user having visibility to the
issue, whenever My View Page is displayed.

Prevent the attack by sanitizing the filename before display.

Fixes 0025995
Affected Issues
0025995
mod - core/classes/IssueAttachmentTimelineEvent.class.php Diff File

Issue History

Date Modified Username Field Change
2019-08-14 03:44 KamranSaifullah New Issue
2019-08-14 03:44 KamranSaifullah File Added: unnamed.jpg
2019-08-14 14:42 atrol Project Plugin - Time Tracking => mantisbt
2019-08-14 14:43 atrol Status new => confirmed
2019-08-14 14:43 atrol Category time tracking => timeline
2019-08-14 14:43 atrol Product Version => 2.13.0
2019-08-14 14:43 atrol Description Updated View Revisions
2019-08-14 14:43 atrol Steps to Reproduce Updated View Revisions
2019-08-14 14:49 atrol Note Added: 0062572
2019-08-14 15:00 atrol Note Added: 0062573
2019-08-15 04:07 dregad Note Added: 0062578
2019-08-15 04:31 dregad Note Added: 0062579
2019-08-15 04:43 dregad Relationship added related to 0023161
2019-08-15 04:43 dregad Assigned To => dregad
2019-08-15 04:43 dregad Status confirmed => assigned
2019-08-15 04:43 dregad Category timeline => security
2019-08-15 04:43 dregad Target Version => 2.21.2
2019-08-15 04:43 dregad Note Added: 0062580
2019-08-15 04:51 atrol Note Added: 0062581
2019-08-15 05:09 KamranSaifullah Note Added: 0062582
2019-08-15 05:09 dregad File Added: 0001-Fix-XSS-on-timeline.patch
2019-08-15 05:09 dregad Note Added: 0062583
2019-08-15 05:09 KamranSaifullah Note Added: 0062584
2019-08-15 05:10 dregad Note Added: 0062585
2019-08-15 05:10 dregad Note View State: 0062582: public
2019-08-15 05:11 KamranSaifullah Note Added: 0062586
2019-08-15 05:15 KamranSaifullah Note Edited: 0062586 View Revisions
2019-08-15 08:12 dregad Note Added: 0062587
2019-08-15 10:26 dregad Summary Stored XSS Vulnerability in Uploads/Attachments in Issue Tracker => CVE-2019-15074: Stored XSS Vulnerability in Uploads/Attachments in Issue Tracker
2019-08-15 10:26 dregad Note Added: 0062594
2019-08-15 10:36 dregad Changeset attached => MantisBT master-2.21 9cee1971
2019-08-15 10:36 dregad Status assigned => resolved
2019-08-15 10:36 dregad Resolution open => fixed
2019-08-15 10:36 dregad Fixed in Version => 2.21.2
2019-08-15 10:38 dregad Summary CVE-2019-15074: Stored XSS Vulnerability in Uploads/Attachments in Issue Tracker => CVE-2019-15074: Stored XSS Vulnerability in Timeline
2019-08-15 12:39 KamranSaifullah Note Added: 0062595
2019-08-15 12:59 dregad Note Added: 0062596
2019-08-15 13:00 KamranSaifullah Note Added: 0062597
2019-08-19 23:27 vboctor Status resolved => closed
2019-08-19 23:34 vboctor View Status private => public