oss-sec mailing list archives
RE: CVE Request: XSS vulnerability in MantisBT 1.2.13
From: "P Richards" <paul () mantisforge org>
Date: Sat, 15 Nov 2014 01:26:39 -0000
Hi Damien, Please can you ensure that you appropriate proper credit for security issues - we identified this issue in Master back in May and this was due to be backported to be 1.2.18 release: The adm_config_report.php displays a dropdown list of configuration values, but does not check that the config value is valid - therefore someone could change the post/get request to modify the value to pass XSS onto the page. We fixed this issue in Master with the following commit https://github.com/mantisbt/mantisbt/commit/cabacdc291c251bfde0dc2a2c945c02cef41bf40, and I believe I requested this to be back-ported at the time. You modified the code not to trigger an error with the commit https://github.com/mantisbt/mantisbt/commit/3d0625d84d5d08a998673713df1711e1d46b0b86 and to fall back to the default of no value selected. I don't believe it is correct to state that an issue was discovered in November that we had already discovered, fixed and were planning on backporting to the 1.2.18 release in May, and not credit the people who discovered and fixed the original issue. Paul -----Original Message----- From: Damien Regad [mailto:dregad () mantisbt org] Sent: 14 November 2014 22:30 To: oss-security () lists openwall com Subject: [oss-security] CVE Request: XSS vulnerability in MantisBT 1.2.13 Please assign a CVE ID for the following issue. Description: The MantisBT Configuration Report page (adm_config_report.php) did not escape a parameter before displaying it on the page, allowing an attacker to execute arbitrary JavaScript code. The severity of this issue is mitigated by the need to have a high-privileged account (by default, administrator) to access the configuration report page. Affected versions:
= 1.2.13, <= 1.2.17
Fixed in versions: 1.2.18 (not yet released) Patch: See Github [1] Credit: Issue was discovered by Alejo Popovici and fixed by Damien Regad (MantisBT Developer) References: Further details available in our issue tracker [2] D. Regad MantisBT Developer http://www.mantisbt.org [1] http://github.com/mantisbt/mantisbt/commit/ee8100d6 [2] http://www.mantisbt.org/bugs/view.php?id=17870
Current thread:
- CVE Request: XSS vulnerability in MantisBT 1.2.13 Damien Regad (Nov 14)
- RE: CVE Request: XSS vulnerability in MantisBT 1.2.13 P Richards (Nov 14)
- Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 Damien Regad (Nov 15)
- Re: Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 Paul Richards (Nov 15)
- Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 Damien Regad (Nov 15)
- Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 Damien Regad (Nov 19)
- Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 Damien Regad (Nov 15)
- RE: CVE Request: XSS vulnerability in MantisBT 1.2.13 P Richards (Nov 14)
- Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 cve-assign (Nov 19)
- Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 Damien Regad (Nov 22)