oss-sec mailing list archives

Re: CVE Request: Multiple XSS vulnerabilities in MantisBT

From: Paul Richards <paul () mantisforge org>
Date: Fri, 5 Dec 2014 09:30:13 +0000

Hello Mitre,

I believe your current analysis is incorrect, and that Damien's attribution
is incorrect.

Issue 17816 regarding copy fields -
http://www.mantisbt.org/bugs/view.php?id=17876 is a duplicate of 17362

The report in issue 17362 referred to a security issue in "5. Reflected XSS
in admin panel: PoC:
[MantisBT]/admin/test_langs.php?dest_id=<script>alert(1)</script>"

At that point my response was "In terms of number 5 - are you sure you
meant test_langs.php. In 1.3-master, there's an issue within copy_field.php
of doing something similar of:

admin/copy_field.php?source_id=1&dest_id="></a><script>alert()</script><b
style="" as I was already aware of an issue within copy_field.php

I should be able to supply a report confirming this later on.

The security researcher then came back and stated that he had indeed made
an error in his report and he did not mean test_langs.php

In this case, the line:

"Credit:
Issue was reported by Mathias Karlsson (http://mathiaskarlsson.me) as part
of Offensive Security's bug bounty program [7].
It was fixed by Paul Richards."

is in correct as the issue was identified by myself initially, then
subsequently identified (incorrectly) in the initial bug report.

As I need to be able to do a security bulletin regarding my find for the
XSS within copy_field.php, can you please tell me what CVE identifier to
use for this and  ensure proper attribution?

Thanks in Advance
Paul

On Thu, Dec 4, 2014 at 6:20 PM, <cve-assign () mitre org> wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


 1. XSS in extended project browser


[1] http://github.com/mantisbt/mantisbt/commit/511564cc
[2] http://www.mantisbt.org/bugs/view.php?id=17890


Use CVE-2014-9269.

 2. XSS in projax_api.php


[3] http://github.com/mantisbt/mantisbt/commit/0bff06ec
[4] http://www.mantisbt.org/bugs/view.php?id=17583


Use CVE-2014-9270.

 3. XSS in admin panel / copy_field.php


[5] http://github.com/mantisbt/mantisbt/commit/e5fc835a
[6] http://www.mantisbt.org/bugs/view.php?id=17876


Use CVE-2014-9271.

Issues 3 and 5 are MERGED into the same CVE ID because they are the
same type of issue, affecting the same versions, disclosed at the same
time, and found by the same person.

 4. XSS in string_insert_hrefs()


[8] http://github.com/mantisbt/mantisbt/commit/05378e00
[9] http://www.mantisbt.org/bugs/view.php?id=17297


Use CVE-2014-9272.


 5. XSS in file uploads


[10] http://github.com/mantisbt/mantisbt/commit/9fb8cf36f
[11] http://www.mantisbt.org/bugs/view.php?id=17874


Use CVE-2014-9271.

Issues 3 and 5 are MERGED into the same CVE ID because they are the
same type of issue, affecting the same versions, disclosed at the same
time, and found by the same person.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEVAwUBVICkqKllVAevmvmsAQKuBQgAxVb3LZJ82oRHEpIKAGioXOw6bm1umxAh
CRzFnVZUrUpZFB3vIAjAcatJXXLjZmk0NSHqWeguZ08q95lS9ockXcyYaoS5UKWG
dyqPpZVCbhsmbSc8jf88IdT3EUAScdpof8dpCnYLSzRKdmq15GIYmYlnapms3+sK
6EhVvxwrv85Giu2b2KLAB/6cjV75ATDtBu6IFC7GJed+2kc7ef8eTmJoiGQ+mdtB
73ZGoykBlyBN5a6PVcfqPMtn58x6I8jUn4Oug382aKttVB5udp9ciRQSD0Yqdhv6
F9bUrVPMStuTdnk64F/JDYI9x001jjCah2DiW2IMBOodjvtUr+qgPw==
=wjH5
-----END PGP SIGNATURE-----

Current thread:

CVE Request: Multiple XSS vulnerabilities in MantisBT Damien Regad (Nov 30)
- Re: CVE Request: Multiple XSS vulnerabilities in MantisBT cve-assign (Dec 04)
  - Re: CVE Request: Multiple XSS vulnerabilities in MantisBT Damien Regad (Dec 05)
  - Re: CVE Request: Multiple XSS vulnerabilities in MantisBT Paul Richards (Dec 05)
    - Re: CVE Request: Multiple XSS vulnerabilities in MantisBT Damien Regad (Dec 05)
    - Re: CVE Request: Multiple XSS vulnerabilities in MantisBT cve-assign (Dec 05)
    - Re: CVE Request: Multiple XSS vulnerabilities in MantisBT Damien Regad (Dec 05)