View Issue Details

IDProjectCategoryView StatusLast Update
0024580mantisbtsecuritypublic2018-09-04 10:55
Reporterom3rcitak Assigned Todregad  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.1.0 
Target Version2.15.1Fixed in Version2.15.1 
Summary0024580: CVE-2018-13055: Reflected XSS in view filters page
Description

Reported via e-mail by Ömer Çıtak, Security Researcher at Netsparker.

URL: http://{domain}/{mantis_path}/view_filters_page.php/'"--></style></scRipt><scRipt>alert(0x00CB68)</scRipt>
Parameter Name: URI-BASED
Parameter Type: Full URL
Attack Pattern: '"--></style></scRipt><scRipt>alert(0x00CB68)</scRipt>

TagsNo tags attached.
Attached Files

Relationships

related to 0024731 closeddregad CVE-2018-16514: Reflected XSS in view_filters_page.php via core/filter_form_api.php 

Activities

dregad

dregad

2018-07-02 07:35

developer   ~0060208

Confirmed - XSS reproduced in latest master MantisBT master 98ea423f (with CSP switched off)

dregad

dregad

2018-07-02 10:02

developer   ~0060209

The root cause is the use of $_SERVER['PHP_SELF'] in https://github.com/mantisbt/mantisbt/blob/release-2.15.0/core/filter_form_api.php#L2396.
This code was introduced as part of the Filter API refactoring MantisBT master 46fddbcb in MantisBT 2.1.0.

A simple workaround would be to call string_sanitize_url(), but I'm wondering if and why we need to use PHP_SELF here.

@cproensa, thoughts ?

dregad

dregad

2018-07-02 10:12

developer   ~0060210

CVE Request 530974 sent

dregad

dregad

2018-07-04 09:23

developer   ~0060212

CVE-2018-13055 assigned

dregad

dregad

2018-07-04 09:47

developer   ~0060213

Proposed fix per 0024580:0060209. Please test and confirm that it does fix the issue.

0001-Fix-XSS-in-filter_form_draw_inputs-CVE-2018-13055.patch (1,210 bytes)   
From 1ffc2e3ed3e5958fc1d7f323b9346a35e22ce96d Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Wed, 4 Jul 2018 15:29:54 +0200
Subject: [PATCH] Fix XSS in filter_form_draw_inputs() (CVE-2018-13055)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Ömer Çıtak, Security Researcher at Netsparker, reported this
vulnerability, allowing remote attackers to inject arbitrary code
(if CSP settings permit it) through a crafted PATH_INFO on
view_filters_page.php.

Prevent the attack by sanitizing the output of $_SERVER['PHP_SELF']
before display.

Fixes #24580
---
 core/filter_form_api.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/core/filter_form_api.php b/core/filter_form_api.php
index 8baa008a5..05d5c39e1 100644
--- a/core/filter_form_api.php
+++ b/core/filter_form_api.php
@@ -2394,6 +2394,7 @@ function filter_form_draw_inputs( $p_filter, $p_for_screen = true, $p_static = f
 
 	if( null === $p_static_fallback_page ) {
 		$p_static_fallback_page = $_SERVER['PHP_SELF'];
+		$p_static_fallback_page = string_sanitize_url( $_SERVER['PHP_SELF'] );
 	}
 	$t_filters_url = $p_static_fallback_page;
 	$t_get_params = $_GET;
-- 
2.16.2

cproensa

cproensa

2018-07-05 13:06

developer   ~0060219

@cproensa, thoughts ?
Proposed fix per 0024580:0060209. Please test and confirm that it does fix the issue.

Looks good, i cannot test at the moment
The self page is a "reload" link for populating the filter options when javascript is disabled.

atrol

atrol

2018-07-05 17:10

developer   ~0060220

The patch fixes the XSS issue, but is this the filter section you expect to see?

FilterXSS.png (290,802 bytes)   
FilterXSS.png (290,802 bytes)   

Related Changesets

MantisBT: master-2.15 4efac90e

2018-07-04 05:29

dregad

Committer: atrol


Details Diff
Fix XSS in filter_form_draw_inputs() (CVE-2018-13055)

Ömer Çıtak, Security Researcher at Netsparker, reported this
vulnerability, allowing remote attackers to inject arbitrary code
(if CSP settings permit it) through a crafted PATH_INFO on
view_filters_page.php.

Prevent the attack by sanitizing the output of $_SERVER['PHP_SELF']
before display.

Fixes 0024580
Affected Issues
0024580
mod - core/filter_form_api.php Diff File