MantisBT: XSS in custom fields management

[Damien Regad <dregad () mantisbt org>]

Greetings,

Please assign a CVE ID for the following issue.

Description:

An XSS vulnerability was discovered, affecting MantisBT Custom fields 
management pages. It is caused by unescaped output of 'return URL' GPC 
parameter, and can be exploited as follows:

1. using 'accesskey' inside hidden input field reflects XSS to the
   administrator in manage_custom_field_edit_page.php when the keyboard
   shortcut is actioned
2. using 'javascript:' URI scheme executes the code when the user clicks
   the [Proceed] link on manage_custom_field_update.php after updating
   a custom field

Both attack vectors have been addressed:

- properly escape the return URL prior to printing it on the hidden form
  field
- let html_operation_successful() sanitize the URL before displaying
  it, just like html_meta_redirect() does. In this case, if the
  string contains an URI scheme, it will be replaced by 'index.php'


Affected versions:
1.2.0 and later (possibly older releases as well - not tested)

Fixed in versions:
- 1.2.20
- 1.3.0-rc.2
As of this writing, these have not been released yet, but both should be 
available in the next few days.

Patch:
See Github [1]

Credits:
The issue was discovered by Kacper Szurek [2] and fixed by Damien Regad
(MantisBT Developer).

References:
Further details available in our issue tracker [3]


Best regards,
D. Regad
MantisBT Developer
http://www.mantisbt.org


[1] http://github.com/mantisbt/mantisbt/commit/5068df2d (1.2.x)
    http://github.com/mantisbt/mantisbt/commit/11ab3d6c (1.3.x)
[2] http://security.szurek.pl/
[3] https://mantisbt.org/bugs/view.php?id=20956