Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 01 Dec 2014 08:25:33 +0100
From: Damien Regad <dregad@...tisbt.org>
To: oss-security@...ts.openwall.com
Subject: CVE Request: Multiple XSS vulnerabilities in MantisBT

Greetings,

Please assign CVE IDs for the following 5 issues.

Thanks in advance

D. Regad
MantisBT Developer
http://www.mantisbt.org


1. XSS in extended project browser
==================================

MantisBT has two modes of operations to select the current project. The 
second of these, so-called the "extended project browser", is vulnerable 
to XSS attacks as the code did not check that a given subproject id is 
indeed an integer.

This allows an attacker to execute arbitrary Javascript code by forging 
the MantisBT project cookie.

Affected versions:
 >= 1.1.0a1, <= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [1]

Credit:
Issue was discovered by Paul Richards and fixed by Paul Richards and 
Damien Regad.

References:
Further details available in our issue tracker [2]

[1] http://github.com/mantisbt/mantisbt/commit/511564cc
[2] http://www.mantisbt.org/bugs/view.php?id=17890


2. XSS in projax_api.php
========================

The Projax library used in MantisBT 1.2.x does not properly escape html 
strings. An attacker could take advantage of this to perform an XSS 
attack using the profile/Platform field.

Affected versions:
 >= 1.1.0a3, <= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [3]

Credit:
Issue was reported by Offensive Security via their bug bounty program 
(http://www.offensive-security.com/bug-bounty-program/).
It was fixed by Paul Richards.

References:
Further details available in our issue tracker [4]

[3] http://github.com/mantisbt/mantisbt/commit/0bff06ec
[4] http://www.mantisbt.org/bugs/view.php?id=17583


3. XSS in admin panel / copy_field.php
======================================

Use of unsanitized parameters in this admin page allow an attacker to 
execute arbitrary JavaScript code.

Affected versions:
<= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [5]

Credit:
Issue was reported by Mathias Karlsson (http://mathiaskarlsson.me) as 
part of Offensive Security's bug bounty program [7].
It was fixed by Paul Richards.

References:
Further details available in our issue tracker [6]

[5] http://github.com/mantisbt/mantisbt/commit/e5fc835a
[6] http://www.mantisbt.org/bugs/view.php?id=17876
[7] http://www.offensive-security.com/bug-bounty-program/


4. XSS in string_insert_hrefs()
===============================

The URL matching regex in the string_insert_hrefs() function did not 
validate the protocol, allowing an attacker to use 'javascript://' to 
execute arbitrary code.

Affected versions:
 >= 1.2.0a1, <= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [8]

Credit:
Issue was discovered by Mathias Karlsson (http://mathiaskarlsson.me) and 
reported by Offensive Security (http://www.offensive-security.com/).
It was fixed by Damien Regad (MantisBT Developer).

References:
Further details available in our issue tracker [9]

[8] http://github.com/mantisbt/mantisbt/commit/05378e00
[9] http://www.mantisbt.org/bugs/view.php?id=17297


5. XSS in file uploads
======================

An attacker could upload a malicious Flash file renamed to bear a 
recognized image extension (e.g. xss.swf ==> screenshot.png). Since by 
default MantisBT is configured to allow images to be displayed inline, 
it is possible to get the Flash to execute.

Affected versions:
<= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [10]

Credit:
Issue was reported by Mathias Karlsson (http://mathiaskarlsson.me) as 
part of Offensive Security's bug bounty program [7].
It was fixed by Damien Regad with contribution from Victor Boctor 
(MantisBT Developers).

References:
Further details available in our issue tracker [11]

[10] http://github.com/mantisbt/mantisbt/commit/9fb8cf36f
[11] http://www.mantisbt.org/bugs/view.php?id=17874

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.