Re: Re: CVE Request: XSS vulnerability in MantisBT 1.2.13

[Paul Richards <paul () mantisforge org>]

On Sat, Nov 15, 2014 at 2:18 PM, Damien Regad <dregad () mantisbt org> wrote:

> On 2014-11-15 02:26, P Richards wrote:
>
> > We fixed this issue in Master with the following commit
> >
> > https://github.com/mantisbt/mantisbt/commit/
> cabacdc291c251bfde0dc2a2c945c02cef41bf40,
> > and I believe I requested this to be back-ported at the time. You
> > modified the code not to trigger an error with the commit
> > https://github.com/mantisbt/mantisbt/commit/
> 3d0625d84d5d08a998673713df1711e1d46b0b86
> > and to fall back to the default of no value selected.
>
> I don't think we're talking about the same issue here. The one you
> describe was about the selection list in the filters, this one is in the
> "set configuration" box.
Ok - having looked further - I agree that this is two separate issues - so
can we have a CVE for both issues separately.

However, I believe the fix for first issue to be incorrect (hence helping
me misunderstanding the initial issue):

The initial fix adds a string_display_line call to an <input> box. Given
that this processes the string for display in html, and there is a
string_attribute api call for handling data for display in a text box, I
believe that the fix for the other  issue is incorrect and
that string_attribute should be used instead of string_display_line (which
may do other formatting to the string which may be undesirable when editing
configuration values).

Paul