Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 11 Jun 2016 02:05:05 +0200
From: Damien Regad <>
Subject: MantisBT: XSS in custom fields management


Please assign a CVE ID for the following issue.


An XSS vulnerability was discovered, affecting MantisBT Custom fields 
management pages. It is caused by unescaped output of 'return URL' GPC 
parameter, and can be exploited as follows:

1. using 'accesskey' inside hidden input field reflects XSS to the
    administrator in manage_custom_field_edit_page.php when the keyboard
    shortcut is actioned
2. using 'javascript:' URI scheme executes the code when the user clicks
    the [Proceed] link on manage_custom_field_update.php after updating
    a custom field

Both attack vectors have been addressed:

- properly escape the return URL prior to printing it on the hidden form
- let html_operation_successful() sanitize the URL before displaying
   it, just like html_meta_redirect() does. In this case, if the
   string contains an URI scheme, it will be replaced by 'index.php'

Affected versions:
1.2.0 and later (possibly older releases as well - not tested)

Fixed in versions:
- 1.2.20
- 1.3.0-rc.2
As of this writing, these have not been released yet, but both should be 
available in the next few days.

See Github [1]

The issue was discovered by Kacper Szurek [2] and fixed by Damien Regad
(MantisBT Developer).

Further details available in our issue tracker [3]

Best regards,
D. Regad
MantisBT Developer

[1] (1.2.x) (1.3.x)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.