CVE Request: Multiple XSS vulnerabilities in MantisBT

[Damien Regad <dregad () mantisbt org>]

Greetings,

Please assign CVE IDs for the following 5 issues.

Thanks in advance

D. Regad
MantisBT Developer
http://www.mantisbt.org


1. XSS in extended project browser
==================================

MantisBT has two modes of operations to select the current project. The 
second of these, so-called the "extended project browser", is vulnerable 
to XSS attacks as the code did not check that a given subproject id is 
indeed an integer.

This allows an attacker to execute arbitrary Javascript code by forging 
the MantisBT project cookie.

Affected versions:
>= 1.1.0a1, <= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [1]

Credit:
Issue was discovered by Paul Richards and fixed by Paul Richards and 
Damien Regad.

References:
Further details available in our issue tracker [2]

[1] http://github.com/mantisbt/mantisbt/commit/511564cc
[2] http://www.mantisbt.org/bugs/view.php?id=17890


2. XSS in projax_api.php
========================

The Projax library used in MantisBT 1.2.x does not properly escape html 
strings. An attacker could take advantage of this to perform an XSS 
attack using the profile/Platform field.

Affected versions:
>= 1.1.0a3, <= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [3]

Credit:
Issue was reported by Offensive Security via their bug bounty program 
(http://www.offensive-security.com/bug-bounty-program/).
It was fixed by Paul Richards.

References:
Further details available in our issue tracker [4]

[3] http://github.com/mantisbt/mantisbt/commit/0bff06ec
[4] http://www.mantisbt.org/bugs/view.php?id=17583


3. XSS in admin panel / copy_field.php
======================================

Use of unsanitized parameters in this admin page allow an attacker to 
execute arbitrary JavaScript code.

Affected versions:
<= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [5]

Credit:
Issue was reported by Mathias Karlsson (http://mathiaskarlsson.me) as 
part of Offensive Security's bug bounty program [7].
It was fixed by Paul Richards.

References:
Further details available in our issue tracker [6]

[5] http://github.com/mantisbt/mantisbt/commit/e5fc835a
[6] http://www.mantisbt.org/bugs/view.php?id=17876
[7] http://www.offensive-security.com/bug-bounty-program/


4. XSS in string_insert_hrefs()
===============================

The URL matching regex in the string_insert_hrefs() function did not 
validate the protocol, allowing an attacker to use 'javascript://' to 
execute arbitrary code.

Affected versions:
>= 1.2.0a1, <= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [8]

Credit:
Issue was discovered by Mathias Karlsson (http://mathiaskarlsson.me) and 
reported by Offensive Security (http://www.offensive-security.com/).
It was fixed by Damien Regad (MantisBT Developer).

References:
Further details available in our issue tracker [9]

[8] http://github.com/mantisbt/mantisbt/commit/05378e00
[9] http://www.mantisbt.org/bugs/view.php?id=17297


5. XSS in file uploads
======================

An attacker could upload a malicious Flash file renamed to bear a 
recognized image extension (e.g. xss.swf ==> screenshot.png). Since by 
default MantisBT is configured to allow images to be displayed inline, 
it is possible to get the Flash to execute.

Affected versions:
<= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [10]

Credit:
Issue was reported by Mathias Karlsson (http://mathiaskarlsson.me) as 
part of Offensive Security's bug bounty program [7].
It was fixed by Damien Regad with contribution from Victor Boctor 
(MantisBT Developers).

References:
Further details available in our issue tracker [11]

[10] http://github.com/mantisbt/mantisbt/commit/9fb8cf36f
[11] http://www.mantisbt.org/bugs/view.php?id=17874