View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0006002mantisbtsecuritypublic2005-07-23 21:472006-10-09 11:55
Reporterjoxeanpiti Assigned Tothraxisp  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionduplicate 
Summary0006002: Cross Site Scripting Vulnerabilty when deleting a bug
Description

A Cross Site Scripting Vulnerability was found in the script /bug_actiongroup_page.php when deleting it from the /view_all_bug_page.php.

Additional Information

Steps to reproduce:

1.- Insert a bug with the following summary:
Test<script>alert(document.cookie)</script>

2.- Find it in the /view_all_bug_page.php

3.- Click the checkbox, select delete from the drop down list bellow and click Ok.

4.- In the next screen you will see a JavaScript 'alert' message.

TagsNo tags attached.
Attached Files
0006002.patch (712 bytes)    
--- bug_actiongroup_page.orig	2005-07-24 04:14:11.000000000 +0200
+++ bug_actiongroup_page.php	2005-07-24 04:13:31.000000000 +0200
@@ -114,7 +114,7 @@
 foreach( $f_bug_arr as $t_bug_id ) { 
 	$t_class = sprintf( "row-%d", ($t_i++ % 2) + 1 );
 	$t_bug_rows .= sprintf( "<tr bgcolor=\"%s\"> <td>%s</td> <td>%s</td> </tr>\n"
-		, get_status_color( bug_get_field( $t_bug_id, 'status' ) ), string_get_bug_view_link( $t_bug_id ), bug_get_field( $t_bug_id, 'summary' )
+		, get_status_color( bug_get_field( $t_bug_id, 'status' ) ), string_get_bug_view_link( $t_bug_id ), htmlentities(bug_get_field( $t_bug_id, 'summary' )) 
     );
 	echo '<input type="hidden" name="bug_arr[]" value="' . $t_bug_id . '" />' . "\n";
 }
0006002.patch (712 bytes)   

Relationships

Relationship GraphDependency Graph
duplicate of 0005751 closedthraxisp Javascript XSS vulnerability 

Activities

joxeanpiti

joxeanpiti

2005-07-23 21:50

reporter   ~0010934

Agh! I click accidentally the Sponsor button!
joxeanpiti

joxeanpiti

2005-07-23 22:08

reporter   ~0010935

I have been attached a patch for the issue called 0006002.patch.

This vulnerability may be considered non exploitable but an attacker can use the following method to force an administrator to delete a bug (or bugs)from the view_all_bug.php page:

1.- Insert 8 fake bugs that sends the cookie to a fake systems
2.- Insert one bug that sends the cookie to the attacker system
3.- Insert other 8 fake bugs.
4.- The administrator, surely, will select all the bugs from the view_all_bug.php page.
vboctor

vboctor

2005-07-27 18:02

manager   ~0010992

joxeanpiti, please type 0 in the sponsorship field and click sponsor. This will remove your sponsorship.
thraxisp

thraxisp

2005-07-27 18:28

reporter   ~0010993

Last edited: 2005-07-27 18:36

Actually, this is a duplicate of 0005751. It was fixed about 6 weeks ago, and is included in 1.0.0rc1.

If you can remove your sponsorship, we can close this.