View Issue Details

IDProjectCategoryView StatusLast Update
0024186mantisbtsecuritypublic2018-04-13 08:34
Reporterdregad Assigned Todregad  
PriorityhighSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version2.1.0 
Target Version2.12.1Fixed in Version2.12.1 
Summary0024186: CVE-2018-1000162: XSS vulnerability in Parsedown library
Description

Parsedown 1.6.x is vulnerable to XSS attacks

This was fixed in 1.7.0 on 28-Feb-2018; 1.7.1 was released a few days later including a few additional bug fixes.

Additional Information

Some changes will be required on MantisBT side, e.g. $Parsedown->setSafeMode(true); to ensure we're protected against link-based XSS (see discussion in https://github.com/erusev/parsedown/pull/495)

TagsNo tags attached.
Attached Files

Relationships

parent of 0024297 closeddregad Update Parsedown library to 1.7.1 
related to 0024201 closedatrol Broken rendering of @ mentions, # issue and ~ note links 
related to 0024233 closedatrol Markdown quoting rendered with broken HTML 

Activities

atrol

atrol

2018-03-29 08:13

developer   ~0059346

Last edited: 2018-03-29 08:23

@dregad, I recomment to wait a bit (at least 1.7.2) until 1.7.x is stabilized.
After there did hardly happen anything with parsedown for quite a long time, the new contributor/maintainer aidantwoods changed quite a lot in 1.7.0 and 1.7.1.

dregad

dregad

2018-03-29 09:04

developer   ~0059348

Last edited: 2018-03-29 09:05

I recomment to wait a bit (at least 1.7.2) until 1.7.x is stabilized.

I don't see any reason to delay - this is a security issue that is affecting us today and for which a fix is available. It would be silly not to patch it ASAP.

dregad

dregad

2018-03-29 09:10

developer   ~0059349

Proposed patch as attachment for review, to avoid public disclosure in a pull request

24186.patch (2,842 bytes)   
diff --cc composer.json
index 179cae1,179cae1..f634264
--- a/composer.json
+++ b/composer.json
@@@ -8,7 -8,7 +8,7 @@@
          "vboctor/disposable_email_checker": "^3.0",
          "adodb/adodb-php": "^5.20",
          "phpmailer/phpmailer": "^5.2.22",
--        "erusev/parsedown": "^1.7.0",
++        "erusev/parsedown": "^1.6",
          "dapphp/securimage": "dev-mantis"
      },
      "require-dev": {
diff --cc composer.lock
index 8f44439,8f44439..9879157
--- a/composer.lock
+++ b/composer.lock
@@@ -4,7 -4,7 +4,7 @@@
          "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
          "This file is @generated automatically"
      ],
--    "content-hash": "493a9911b0f5109b5f4b73997648e7be",
++    "content-hash": "acd102d3211c0308e763376e7be54d78",
      "packages": [
          {
              "name": "adodb/adodb-php",
@@@ -142,25 -142,25 +142,21 @@@
          },
          {
              "name": "erusev/parsedown",
--            "version": "1.7.1",
++            "version": "1.6.3",
              "source": {
                  "type": "git",
                  "url": "https://github.com/erusev/parsedown.git",
--                "reference": "92e9c27ba0e74b8b028b111d1b6f956a15c01fc1"
++                "reference": "728952b90a333b5c6f77f06ea9422b94b585878d"
              },
              "dist": {
                  "type": "zip",
--                "url": "https://api.github.com/repos/erusev/parsedown/zipball/92e9c27ba0e74b8b028b111d1b6f956a15c01fc1",
--                "reference": "92e9c27ba0e74b8b028b111d1b6f956a15c01fc1",
++                "url": "https://api.github.com/repos/erusev/parsedown/zipball/728952b90a333b5c6f77f06ea9422b94b585878d",
++                "reference": "728952b90a333b5c6f77f06ea9422b94b585878d",
                  "shasum": ""
              },
              "require": {
--                "ext-mbstring": "*",
                  "php": ">=5.3.0"
              },
--            "require-dev": {
--                "phpunit/phpunit": "^4.8.35"
--            },
              "type": "library",
              "autoload": {
                  "psr-0": {
@@@ -184,7 -184,7 +180,7 @@@
                  "markdown",
                  "parser"
              ],
--            "time": "2018-03-08T01:11:30+00:00"
++            "time": "2017-05-14T14:47:48+00:00"
          },
          {
              "name": "guzzlehttp/guzzle",
diff --cc plugins/MantisCoreFormatting/core/MantisMarkdown.php
index 6d96174,e937edd..18958bb
--- a/plugins/MantisCoreFormatting/core/MantisMarkdown.php
+++ b/plugins/MantisCoreFormatting/core/MantisMarkdown.php
@@@ -66,9 -66,9 +66,6 @@@ class MantisMarkdown extends Parsedow
  
  		# set the table class
  		$this->table_class = 'table table-nonfluid';
--
--		# XSS protection
--		$this->setSafeMode( true );
  	}
  
  	/**
24186.patch (2,842 bytes)   
vboctor

vboctor

2018-03-30 18:49

manager   ~0059376

@dregad I'm OK with the fix to make its way to 2.12.1. Seems like you have a reverse patch in 0024186:0059349

"ext-mbstring": "*",

Why is this added?

dregad

dregad

2018-03-30 19:02

developer   ~0059377

Last edited: 2018-03-30 19:08

Seems like you have a reverse patch in 0024186:0059349

Yes, I made a mistake in the git format-patch command.

"ext-mbstring": "*",

Why is this added?

That comes from parsedown's composer.json - details on why it was added is here: https://github.com/erusev/parsedown/pull/561
Not a problem for us, as we also require it http://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.install.requirements.software

dregad

dregad

2018-04-13 07:16

developer   ~0059562

CVE-2018-1000162 assigned https://github.com/erusev/parsedown/issues/590

dregad

dregad

2018-04-13 08:34

developer   ~0059563

Changing title and creating a child issue to track the Parsedown library update (0024297) separately, as it is effectively just a pre-requisite to the actual fix for the XSS (i.e. enabling safe mode)

Related Changesets

MantisBT: master-2.12 518d7529

2018-03-29 04:16

dregad


Details Diff
Update Parsedown to 1.7.1

- Set minimum required version to 1.7.0 in composer.json
- Run composer update
- Updating erusev/parsedown (1.6.3 => 1.7.1)

Fixes 0024186
Affected Issues
0024186, 0024297
mod - composer.json Diff File
mod - composer.lock Diff File

MantisBT: master-2.12 a5e043f0

2018-03-29 04:49

dregad


Details Diff
Enable Parsedown Safe Mode for XSS protection

Fixes 0024186
Affected Issues
0024186
mod - plugins/MantisCoreFormatting/core/MantisMarkdown.php Diff File