View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0024580 | mantisbt | security | public | 2018-07-02 07:17 | 2018-09-04 10:55 |
Reporter | om3rcitak | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2.1.0 | ||||
Target Version | 2.15.1 | Fixed in Version | 2.15.1 | ||
Summary | 0024580: CVE-2018-13055: Reflected XSS in view filters page | ||||
Description | Reported via e-mail by Ömer Çıtak, Security Researcher at Netsparker. URL: | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Confirmed - XSS reproduced in latest master MantisBT master 98ea423f (with CSP switched off) |
|
The root cause is the use of A simple workaround would be to call string_sanitize_url(), but I'm wondering if and why we need to use PHP_SELF here. @cproensa, thoughts ? |
|
CVE Request 530974 sent |
|
CVE-2018-13055 assigned |
|
Proposed fix per 0024580:0060209. Please test and confirm that it does fix the issue. 0001-Fix-XSS-in-filter_form_draw_inputs-CVE-2018-13055.patch (1,210 bytes)
From 1ffc2e3ed3e5958fc1d7f323b9346a35e22ce96d Mon Sep 17 00:00:00 2001 From: Damien Regad <dregad@mantisbt.org> Date: Wed, 4 Jul 2018 15:29:54 +0200 Subject: [PATCH] Fix XSS in filter_form_draw_inputs() (CVE-2018-13055) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ömer Çıtak, Security Researcher at Netsparker, reported this vulnerability, allowing remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted PATH_INFO on view_filters_page.php. Prevent the attack by sanitizing the output of $_SERVER['PHP_SELF'] before display. Fixes #24580 --- core/filter_form_api.php | 1 + 1 file changed, 1 insertion(+) diff --git a/core/filter_form_api.php b/core/filter_form_api.php index 8baa008a5..05d5c39e1 100644 --- a/core/filter_form_api.php +++ b/core/filter_form_api.php @@ -2394,6 +2394,7 @@ function filter_form_draw_inputs( $p_filter, $p_for_screen = true, $p_static = f if( null === $p_static_fallback_page ) { $p_static_fallback_page = $_SERVER['PHP_SELF']; + $p_static_fallback_page = string_sanitize_url( $_SERVER['PHP_SELF'] ); } $t_filters_url = $p_static_fallback_page; $t_get_params = $_GET; -- 2.16.2 |
|
Looks good, i cannot test at the moment |
|
The patch fixes the XSS issue, but is this the filter section you expect to see? |
|
MantisBT: master-2.15 4efac90e 2018-07-04 05:29 Committer: atrol Details Diff |
Fix XSS in filter_form_draw_inputs() (CVE-2018-13055) Ömer Çıtak, Security Researcher at Netsparker, reported this vulnerability, allowing remote attackers to inject arbitrary code (if CSP settings permit it) through a crafted PATH_INFO on view_filters_page.php. Prevent the attack by sanitizing the output of $_SERVER['PHP_SELF'] before display. Fixes 0024580 |
Affected Issues 0024580 |
|
mod - core/filter_form_api.php | Diff File |