Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 15 Nov 2014 01:26:39 -0000
From: "P Richards" <paul@...tisforge.org>
To: <oss-security@...ts.openwall.com>,
	"'Damien Regad'" <dregad@...tisbt.org>
Cc: <cve-assign@...re.org>
Subject: RE: CVE Request: XSS vulnerability in MantisBT 1.2.13

Hi Damien,

Please can you ensure that you appropriate proper credit for security issues - we identified this issue in Master back in May and this was due to be backported to be 1.2.18 release:

The adm_config_report.php displays a dropdown list of configuration values, but does not check that the config value is valid - therefore someone could change the post/get request to modify the value to pass XSS onto the page. 

We fixed this issue in Master with the following commit https://github.com/mantisbt/mantisbt/commit/cabacdc291c251bfde0dc2a2c945c02cef41bf40, and I believe I requested this to be back-ported at the time. You modified the code not to trigger an error with the commit https://github.com/mantisbt/mantisbt/commit/3d0625d84d5d08a998673713df1711e1d46b0b86 and to fall back to the default of no value selected.

I don't believe it is correct to state that an issue was discovered in November that we had already discovered, fixed and were planning on backporting to the 1.2.18 release in May, and not credit the people who discovered and fixed the original issue.

Paul

-----Original Message-----
From: Damien Regad [mailto:dregad@...tisbt.org] 
Sent: 14 November 2014 22:30
To: oss-security@...ts.openwall.com
Subject: [oss-security] CVE Request: XSS vulnerability in MantisBT 1.2.13

Please assign a CVE ID for the following issue.

Description:

The MantisBT Configuration Report page (adm_config_report.php) did not escape a parameter before displaying it on the page, allowing an attacker to execute arbitrary JavaScript code.

The severity of this issue is mitigated by the need to have a high-privileged account (by default, administrator) to access the configuration report page.

Affected versions:
 >= 1.2.13, <= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [1]

Credit:
Issue was discovered by Alejo Popovici and fixed by Damien Regad (MantisBT Developer)

References:
Further details available in our issue tracker [2]


D. Regad
MantisBT Developer
http://www.mantisbt.org


[1] http://github.com/mantisbt/mantisbt/commit/ee8100d6
[2] http://www.mantisbt.org/bugs/view.php?id=17870



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.