oss-sec mailing list archives

Re: CVE Request: XSS vulnerability in MantisBT 1.2.13

From: Damien Regad <dregad () mantisbt org>
Date: Sat, 15 Nov 2014 17:13:46 +0100

On 2014-11-15 16:30, Paul Richards wrote:

However, I believe the fix for first issue to be incorrect (hence helping
me misunderstanding the initial issue):

The initial fix adds a string_display_line call to an <input> box. Given
that this processes the string for display in html, and there is a
string_attribute api call for handling data for display in a text box, I
believe that the fix for the other  issue is incorrect and
that string_attribute should be used instead of string_display_line (which
may do other formatting to the string which may be undesirable when editing
configuration values).


Thanks for catching this mistake Paul. I have:

- reverted the original fix commit with incorrect string_display_line()
  https://github.com/mantisbt/mantisbt/commit/1bdc16e5

- pushed a new fix with string_attribute()
  https://github.com/mantisbt/mantisbt/commit/49c3d089

@CVE assign authority - please let me know the ID for this issue, andupdate the data from my initial request accordingly.

Current thread:

CVE Request: XSS vulnerability in MantisBT 1.2.13 Damien Regad (Nov 14)
- RE: CVE Request: XSS vulnerability in MantisBT 1.2.13 P Richards (Nov 14)
  - Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 Damien Regad (Nov 15)
    - Re: Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 Paul Richards (Nov 15)
    - Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 Damien Regad (Nov 15)
    - Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 Damien Regad (Nov 19)
  - Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 cve-assign (Nov 19)
    - Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 Damien Regad (Nov 22)
- Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 cve-assign (Nov 19)