View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0008480 | mantisbt | security | public | 2007-10-18 10:53 | 2008-05-08 22:06 |
Reporter | seiji | Assigned To | jreese | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | x86 | OS | Gentoo Linux | ||
Product Version | 1.1.0rc1 | ||||
Target Version | 1.1.0rc2 | Fixed in Version | 1.1.0rc2 | ||
Summary | 0008480: XSS Vulnerability in Tag details, Attach Tags | ||||
Description | It is possible XSS to tag_attach.php and tag_update_page.php if you use html tag as tag name or tag description. See attached images. | ||||
Steps To Reproduce | 1-1. set tag name in view.php. ex. ""<a href="">XSS". 2-1. select tag that is attached a issue in view.php. | ||||
Tags | patch | ||||
Attached Files | patch.txt (4,752 bytes)
Index: /home/sogabe/public_html/mantis/core/print_api.php =================================================================== --- /home/sogabe/public_html/mantis/core/print_api.php (revision 131) +++ /home/sogabe/public_html/mantis/core/print_api.php (working copy) @@ -302,7 +302,7 @@ function print_tag_input( $p_bug_id = 0, $p_string="" ) { ?> <input type="hidden" id="tag_separator" value="<?php echo config_get( 'tag_separator' ) ?>" /> - <input type="text" name="tag_string" id="tag_string" size="40" value="<?php echo $p_string ?>" /> + <input type="text" name="tag_string" id="tag_string" size="40" value="<?php echo string_attribute( $p_string ) ?>" /> <select <?php echo helper_get_tab_index() ?> name="tag_select" id="tag_select"> <?php print_tag_option_list( $p_bug_id ); ?> </select> Index: /home/sogabe/public_html/mantis/tag_attach.php =================================================================== --- /home/sogabe/public_html/mantis/tag_attach.php (revision 130) +++ /home/sogabe/public_html/mantis/tag_attach.php (working copy) @@ -76,7 +76,7 @@ } $t_tag_string .= $t_tag_row['name']; } - + foreach( $t_tags_failed as $t_tag_row ) { echo '<tr ',helper_alternate_class(),'>'; if ( -1 == $t_tag_row['id'] ) { @@ -84,7 +84,7 @@ } elseif ( -2 == $t_tag_row['id'] ) { echo '<td class="category">',lang_get( 'tag_create_denied' ),'</td>'; } - echo '<td>',$t_tag_row['name'],'</td></tr>'; + echo '<td>',string_html_specialchars( $t_tag_row['name'] ),'</td></tr>'; if ( "" != $t_tag_string ) { $t_tag_string .= config_get( 'tag_separator' ); @@ -91,7 +91,7 @@ } $t_tag_string .= $t_tag_row['name']; } -?> +?> <tr class="spacer"><td colspan="2"></td></tr> <tr <?php echo helper_alternate_class() ?>> <td class="category"><?php echo lang_get( 'tag_attach_long' ) ?></td> Index: /home/sogabe/public_html/mantis/tag_update_page.php =================================================================== --- /home/sogabe/public_html/mantis/tag_update_page.php (revision 130) +++ /home/sogabe/public_html/mantis/tag_update_page.php (working copy) @@ -75,7 +75,7 @@ if ( access_has_global_level( config_get( 'tag_edit_threshold' ) ) ) { if ( ON == config_get( 'use_javascript' ) ) { $t_username = prepare_user_name( $t_tag_row['user_id'] ); - echo ajax_click_to_edit( $t_username, 'user_id', 'entrypoint=user_combobox&user_id=' . $t_tag_row['user_id'] . '&access_level=' . config_get( 'tag_create_threshold' ) ); + echo ajax_click_to_edit( $t_username, 'user_id', 'entrypoint=user_combobox&user_id=' . $t_tag_row['user_id'] . '&access_level=' . config_get( 'tag_create_threshold' ) ); } else { echo '<select ', helper_get_tab_index(), ' name="user_id">'; print_user_option_list( $t_tag_row['user_id'], ALL_PROJECTS, config_get( 'tag_create_threshold' ) ); @@ -98,7 +98,7 @@ <tr <?php echo helper_alternate_class() ?>> <td class="category"><?php echo lang_get( 'tag_description' ) ?></td> <td colspan="4"> - <textarea name="description" <?php echo helper_get_tab_index() ?> cols="80" rows="6"><?php echo $t_tag_row['description'] ?></textarea> + <textarea name="description" <?php echo helper_get_tab_index() ?> cols="80" rows="6"><?php echo string_textarea( $t_tag_row['description'] ) ?></textarea> </td> </tr> Index: /home/sogabe/public_html/mantis/tag_view_page.php =================================================================== --- /home/sogabe/public_html/mantis/tag_view_page.php (revision 130) +++ /home/sogabe/public_html/mantis/tag_view_page.php (working copy) @@ -50,7 +50,7 @@ </td> <td class="right" colspan="3"> - <?php print_bracket_link( 'search.php?hide_status_id=90&tag_string='.urlencode($t_tag_row['name']), sprintf( lang_get( 'tag_filter_default' ), tag_stats_attached( $f_tag_id ) ) ); ?> + <?php print_bracket_link( 'search.php?hide_status_id=90&tag_string='.urlencode($t_tag_row['name']), sprintf( lang_get( 'tag_filter_default' ), tag_stats_attached( $f_tag_id ) ) ); ?> </td> </tr> @@ -98,7 +98,7 @@ echo ( $i > 0 ? '<tr '.helper_alternate_class().'>' : '' ); echo "<td><a href='tag_view_page.php?tag_id=$t_tag[id]' title='$t_description'>$t_name</a></td>\n"; echo '<td colspan="3">'; - print_bracket_link( 'search.php?hide_status_id=90&tag_string='.urlencode("+$t_tag_row[name]".config_get('tag_separator')."+$t_name"), sprintf( lang_get( 'tag_related_issues' ), $t_tag['count'] ) ); + print_bracket_link( 'search.php?hide_status_id=90&tag_string='.urlencode("+$t_tag_row[name]".config_get('tag_separator')."+$t_name"), sprintf( lang_get( 'tag_related_issues' ), $t_tag['count'] ) ); echo '</a></td></tr>'; $i++; | ||||
This has been committed to CVS Head and BRANCH_1_1_0 for rc2. These would be the mistakes from being too new to Mantis and not thinking about XSS and such because I'm too worried about breaking the app somewhere in a thousand lines of code. =\ |
|
Moved the issue to private. |
|
MantisBT: master-1.1.x 99b30a30 2007-10-18 11:33 Details Diff |
Fix 0008480: XSS Vulnerability in Tag details, Attach Tags Fixed: & -> & in urls. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@4644 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9 |
Affected Issues 0008480 |
|
mod - tag_view_page.php | Diff File | ||
mod - tag_update_page.php | Diff File | ||
mod - core/print_api.php | Diff File | ||
mod - tag_attach.php | Diff File | ||
MantisBT: master fb2d14bc 2007-10-18 11:42 Details Diff |
Fix 0008480: XSS Vulnerability in Tag details, Attach Tags Fixed: & -> & in urls. git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@4645 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9 |
Affected Issues 0008480 |
|
mod - tag_attach.php | Diff File | ||
mod - tag_view_page.php | Diff File | ||
mod - core/print_api.php | Diff File | ||
mod - tag_update_page.php | Diff File |