View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0008480mantisbtsecuritypublic2007-10-18 10:532008-05-08 22:06
Reporterseiji Assigned Tojreese  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Platformx86OSGentoo Linux 
Product Version1.1.0rc1 
Target Version1.1.0rc2Fixed in Version1.1.0rc2 
Summary0008480: XSS Vulnerability in Tag details, Attach Tags
Description

It is possible XSS to tag_attach.php and tag_update_page.php if you use html tag as tag name or tag description. See attached images.

Steps To Reproduce

1-1. set tag name in view.php. ex. ""<a href="">XSS".
1-2. enter "attach" button.
1-3. Attach Tags will display error message but html is broken. see tag_2.png.

2-1. select tag that is attached a issue in view.php.
2-2. enter "update tag" button.
2-3. set description. ex. " </textarea>XSS".
2-4. tag_update_page.php will create broken html. see tag_1.png.

Tagspatch
Attached Files
tag_1.png (5,090 bytes)   
tag_1.png (5,090 bytes)   
tag_2.png (15,225 bytes)   
tag_2.png (15,225 bytes)   
patch.txt (4,752 bytes)    
Index: /home/sogabe/public_html/mantis/core/print_api.php
===================================================================
--- /home/sogabe/public_html/mantis/core/print_api.php	(revision 131)
+++ /home/sogabe/public_html/mantis/core/print_api.php	(working copy)
@@ -302,7 +302,7 @@
 	function print_tag_input( $p_bug_id = 0, $p_string="" ) {
 		?>
 		<input type="hidden" id="tag_separator" value="<?php echo config_get( 'tag_separator' ) ?>" />
-		<input type="text" name="tag_string" id="tag_string" size="40" value="<?php echo $p_string ?>" />
+		<input type="text" name="tag_string" id="tag_string" size="40" value="<?php echo string_attribute( $p_string ) ?>" />
 		<select <?php echo helper_get_tab_index() ?> name="tag_select" id="tag_select">
 			<?php print_tag_option_list( $p_bug_id ); ?>
 		</select>
Index: /home/sogabe/public_html/mantis/tag_attach.php
===================================================================
--- /home/sogabe/public_html/mantis/tag_attach.php	(revision 130)
+++ /home/sogabe/public_html/mantis/tag_attach.php	(working copy)
@@ -76,7 +76,7 @@
 			}
 			$t_tag_string .= $t_tag_row['name'];
 		}
-
+		
 		foreach( $t_tags_failed as $t_tag_row ) {
 			echo '<tr ',helper_alternate_class(),'>';
 			if ( -1 == $t_tag_row['id'] ) {
@@ -84,7 +84,7 @@
 			} elseif ( -2 == $t_tag_row['id'] ) {
 				echo '<td class="category">',lang_get( 'tag_create_denied' ),'</td>';
 			}
-			echo '<td>',$t_tag_row['name'],'</td></tr>';
+			echo '<td>',string_html_specialchars( $t_tag_row['name'] ),'</td></tr>';
 			
 			if ( "" != $t_tag_string ) {
 				$t_tag_string .= config_get( 'tag_separator' );
@@ -91,7 +91,7 @@
 			}
 			$t_tag_string .= $t_tag_row['name'];
 		}
-?>
+?> 
 	<tr class="spacer"><td colspan="2"></td></tr>
 	<tr <?php echo helper_alternate_class() ?>>
 	<td class="category"><?php echo lang_get( 'tag_attach_long' ) ?></td>
Index: /home/sogabe/public_html/mantis/tag_update_page.php
===================================================================
--- /home/sogabe/public_html/mantis/tag_update_page.php	(revision 130)
+++ /home/sogabe/public_html/mantis/tag_update_page.php	(working copy)
@@ -75,7 +75,7 @@
 			if ( access_has_global_level( config_get( 'tag_edit_threshold' ) ) ) {
 				if ( ON == config_get( 'use_javascript' ) ) {
 					$t_username = prepare_user_name( $t_tag_row['user_id'] );
-					echo ajax_click_to_edit( $t_username, 'user_id', 'entrypoint=user_combobox&user_id=' . $t_tag_row['user_id'] . '&access_level=' . config_get( 'tag_create_threshold' ) );
+					echo ajax_click_to_edit( $t_username, 'user_id', 'entrypoint=user_combobox&amp;user_id=' . $t_tag_row['user_id'] . '&amp;access_level=' . config_get( 'tag_create_threshold' ) );
 				} else {
 					echo '<select ', helper_get_tab_index(), ' name="user_id">';
 					print_user_option_list( $t_tag_row['user_id'], ALL_PROJECTS, config_get( 'tag_create_threshold' ) );
@@ -98,7 +98,7 @@
 <tr <?php echo helper_alternate_class() ?>>
 	<td class="category"><?php echo lang_get( 'tag_description' ) ?></td>
 	<td colspan="4">
-		<textarea name="description" <?php echo helper_get_tab_index() ?> cols="80" rows="6"><?php echo $t_tag_row['description'] ?></textarea>
+		<textarea name="description" <?php echo helper_get_tab_index() ?> cols="80" rows="6"><?php echo string_textarea( $t_tag_row['description'] ) ?></textarea>
 	</td>
 </tr>
 
Index: /home/sogabe/public_html/mantis/tag_view_page.php
===================================================================
--- /home/sogabe/public_html/mantis/tag_view_page.php	(revision 130)
+++ /home/sogabe/public_html/mantis/tag_view_page.php	(working copy)
@@ -50,7 +50,7 @@
 
 	</td>
 	<td class="right" colspan="3">
-		<?php print_bracket_link( 'search.php?hide_status_id=90&tag_string='.urlencode($t_tag_row['name']), sprintf( lang_get( 'tag_filter_default' ), tag_stats_attached( $f_tag_id ) ) ); ?>
+		<?php print_bracket_link( 'search.php?hide_status_id=90&amp;tag_string='.urlencode($t_tag_row['name']), sprintf( lang_get( 'tag_filter_default' ), tag_stats_attached( $f_tag_id ) ) ); ?>
 	</td>
 </tr>
 
@@ -98,7 +98,7 @@
 			echo ( $i > 0 ? '<tr '.helper_alternate_class().'>' : '' );
 			echo "<td><a href='tag_view_page.php?tag_id=$t_tag[id]' title='$t_description'>$t_name</a></td>\n";
 			echo '<td colspan="3">';
-			print_bracket_link( 'search.php?hide_status_id=90&tag_string='.urlencode("+$t_tag_row[name]".config_get('tag_separator')."+$t_name"), sprintf( lang_get( 'tag_related_issues' ), $t_tag['count'] ) );
+			print_bracket_link( 'search.php?hide_status_id=90&amp;tag_string='.urlencode("+$t_tag_row[name]".config_get('tag_separator')."+$t_name"), sprintf( lang_get( 'tag_related_issues' ), $t_tag['count'] ) );
 			echo '</a></td></tr>';
 			
 			$i++;
patch.txt (4,752 bytes)   

Activities

jreese

jreese

2007-10-18 11:47

reporter   ~0015892

This has been committed to CVS Head and BRANCH_1_1_0 for rc2.

These would be the mistakes from being too new to Mantis and not thinking about XSS and such because I'm too worried about breaking the app somewhere in a thousand lines of code. =\
vboctor

vboctor

2007-10-19 01:48

manager   ~0015895

Moved the issue to private.

Related Changesets

MantisBT: master-1.1.x 99b30a30

2007-10-18 11:33

jreese


Details Diff		 Fix 0008480: XSS Vulnerability in Tag details, Attach Tags
Fixed: & -> &amp; in urls.

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@4644 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9		 Affected Issues
0008480
mod - tag_view_page.php Diff File
mod - tag_update_page.php Diff File
mod - core/print_api.php Diff File
mod - tag_attach.php Diff File

MantisBT: master fb2d14bc

2007-10-18 11:42

jreese


Details Diff		 Fix 0008480: XSS Vulnerability in Tag details, Attach Tags
Fixed: & -> &amp; in urls.

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/trunk@4645 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9		 Affected Issues
0008480
mod - tag_attach.php Diff File
mod - tag_view_page.php Diff File
mod - core/print_api.php Diff File
mod - tag_update_page.php Diff File