oss-sec mailing list archives
MantisBT: XSS in custom fields management
From: Damien Regad <dregad () mantisbt org>
Date: Sat, 11 Jun 2016 02:05:05 +0200
Greetings, Please assign a CVE ID for the following issue. Description:An XSS vulnerability was discovered, affecting MantisBT Custom fields management pages. It is caused by unescaped output of 'return URL' GPC parameter, and can be exploited as follows:
1. using 'accesskey' inside hidden input field reflects XSS to the administrator in manage_custom_field_edit_page.php when the keyboard shortcut is actioned 2. using 'javascript:' URI scheme executes the code when the user clicks the [Proceed] link on manage_custom_field_update.php after updating a custom field Both attack vectors have been addressed: - properly escape the return URL prior to printing it on the hidden form field - let html_operation_successful() sanitize the URL before displaying it, just like html_meta_redirect() does. In this case, if the string contains an URI scheme, it will be replaced by 'index.php' Affected versions: 1.2.0 and later (possibly older releases as well - not tested) Fixed in versions: - 1.2.20 - 1.3.0-rc.2As of this writing, these have not been released yet, but both should be available in the next few days.
Patch: See Github [1] Credits: The issue was discovered by Kacper Szurek [2] and fixed by Damien Regad (MantisBT Developer). References: Further details available in our issue tracker [3] Best regards, D. Regad MantisBT Developer http://www.mantisbt.org [1] http://github.com/mantisbt/mantisbt/commit/5068df2d (1.2.x) http://github.com/mantisbt/mantisbt/commit/11ab3d6c (1.3.x) [2] http://security.szurek.pl/ [3] https://mantisbt.org/bugs/view.php?id=20956
Current thread:
- MantisBT: XSS in custom fields management Damien Regad (Jun 10)
- Re: MantisBT: XSS in custom fields management cve-assign (Jun 11)
- Re: MantisBT: XSS in custom fields management Damien Regad (Jun 11)
- Re: MantisBT: XSS in custom fields management cve-assign (Jun 11)