Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 11 Jun 2016 02:05:05 +0200
From: Damien Regad <dregad@...tisbt.org>
To: oss-security@...ts.openwall.com
Subject: MantisBT: XSS in custom fields management

Greetings,

Please assign a CVE ID for the following issue.

Description:

An XSS vulnerability was discovered, affecting MantisBT Custom fields 
management pages. It is caused by unescaped output of 'return URL' GPC 
parameter, and can be exploited as follows:

1. using 'accesskey' inside hidden input field reflects XSS to the
    administrator in manage_custom_field_edit_page.php when the keyboard
    shortcut is actioned
2. using 'javascript:' URI scheme executes the code when the user clicks
    the [Proceed] link on manage_custom_field_update.php after updating
    a custom field

Both attack vectors have been addressed:

- properly escape the return URL prior to printing it on the hidden form
   field
- let html_operation_successful() sanitize the URL before displaying
   it, just like html_meta_redirect() does. In this case, if the
   string contains an URI scheme, it will be replaced by 'index.php'


Affected versions:
1.2.0 and later (possibly older releases as well - not tested)

Fixed in versions:
- 1.2.20
- 1.3.0-rc.2
As of this writing, these have not been released yet, but both should be 
available in the next few days.

Patch:
See Github [1]

Credits:
The issue was discovered by Kacper Szurek [2] and fixed by Damien Regad
(MantisBT Developer).

References:
Further details available in our issue tracker [3]


Best regards,
D. Regad
MantisBT Developer
http://www.mantisbt.org


[1] http://github.com/mantisbt/mantisbt/commit/5068df2d (1.2.x)
     http://github.com/mantisbt/mantisbt/commit/11ab3d6c (1.3.x)
[2] http://security.szurek.pl/
[3] https://mantisbt.org/bugs/view.php?id=20956



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ