View Issue Details

IDProjectCategoryView StatusLast Update
0027304mantisbtsecuritypublic2020-09-25 14:53
Reporterd3vpoo1 Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
PlatformWindowsOSWindowsOS VersionWindows
Product Version2.24.2 
Target Version2.24.3Fixed in Version2.24.3 
Summary0027304: CVE-2020-25830: HTML Injection in bug_actiongroup_page.php
Description

A crafted custom field name may be used to inject HTML into bug_actiongroup_page.php

Steps To Reproduce
  • Login as admin
  • Go to manage_custom_field_page.php
  • Create a custom field with name <input type="text" value="Look I Injected this">
  • Link this new custom field to some project
  • Go to view_all_bug_page.php
  • Select one or more issues from the list
  • pick Update <input type="text" value="Look I Injected this"> from the selection list at page bottom
  • click OK to submit the form

bug_actiongroup_page.php opens, and and you see a rendered input field, with value of Look I Injected this (see attached screenshot poc.png)

Additional Information

None

TagsNo tags attached.

Activities

d3vpoo1

d3vpoo1

2020-09-21 00:44

reporter  

poc.png (18,798 bytes)   
poc.png (18,798 bytes)   
dregad

dregad

2020-09-21 02:12

developer   ~0064464

Will look into it.

BTW I'm just about to release 2.24.3 so I'd like to know if I should defer that and wait for you to complete your pen test in expectation of further security reports, or if you're done and I can go ahead (after fixing this one of course)...

d3vpoo1

d3vpoo1

2020-09-21 02:37

reporter   ~0064465

Please check this issue first then I will stop the pentest for the current version... If this worth checking please pause the releasing of next version but if not please continue to release it..

dregad

dregad

2020-09-23 12:13

developer   ~0064473

Bug confirmed.

dregad

dregad

2020-09-23 12:20

developer   ~0064474

@d3vpoo1 In reply to 0027304:0064465, I'm not sure you understood what I meant.

Cutting a new release requires work, so I would rather avoid publishing 2.24.3 (now or in a few days), while you continue to search for vulnerabilities and would potentially submit more security issues, that would require me to cut 2.24.4 just a few days after.

So the question is, again, did you complete your pentest, or are you still running it and should we expect more findings in the coming days ? If not, I'll release 2.24.3 now, and if yes I'll wait until you tell me you're done, so I can do a single, bigger release with all the required fixes for your upcoming bug reports.

d3vpoo1

d3vpoo1

2020-09-23 13:37

reporter   ~0064475

Apologize, I decide to stop my testing (already finish)

dregad

dregad

2020-09-23 17:23

developer   ~0064476

CVE Request 963152 sent.

See proposed fix in attached patch.

0001-Fix-XSS-in-bug_actiongroup_page.php.patch (1,225 bytes)   
From cc69f7f43744d037b201b05a4610022189e99d87 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Wed, 23 Sep 2020 18:36:32 +0200
Subject: [PATCH] Fix XSS in bug_actiongroup_page.php

Improper escaping of the custom field's name allowed an attacker to
inject HTML into the page.

Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for the finding.

Fixes #27304
---
 bug_actiongroup_page.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/bug_actiongroup_page.php b/bug_actiongroup_page.php
index cdebbf49e..2610ab9cb 100644
--- a/bug_actiongroup_page.php
+++ b/bug_actiongroup_page.php
@@ -225,7 +225,9 @@ switch( $f_action ) {
 		break;
 	case 'CUSTOM' :
 		$t_custom_field_def = custom_field_get_definition( $t_custom_field_id );
-		$t_question_title = sprintf( lang_get( 'actiongroup_menu_update_field' ), lang_get_defaulted( $t_custom_field_def['name'] ) );
+		$t_question_title = sprintf( lang_get( 'actiongroup_menu_update_field' ),
+			string_attribute( lang_get_defaulted( $t_custom_field_def['name'] ) )
+		);
 		$t_button_title = $t_question_title;
 		$t_form = 'custom_field_' . $t_custom_field_id;
 		$t_event_params['custom_field_id'] = $t_custom_field_id;
-- 
2.25.1

dregad

dregad

2020-09-23 17:43

developer   ~0064477

CVE-2020-25830 assigned

Related Changesets

MantisBT: master-2.24 8c6f4d88

2020-09-23 12:36:32

dregad

Details Diff
Fix XSS in bug_actiongroup_page.php

Improper escaping of the custom field's name allowed an attacker to
inject HTML into the page.

Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for the finding.

Fixes 0027304
Affected Issues
0027304
mod - bug_actiongroup_page.php Diff File

Issue History

Date Modified Username Field Change
2020-09-21 00:44 d3vpoo1 New Issue
2020-09-21 00:44 d3vpoo1 File Added: poc.png
2020-09-21 02:12 dregad Assigned To => dregad
2020-09-21 02:12 dregad Status new => acknowledged
2020-09-21 02:12 dregad Note Added: 0064464
2020-09-21 02:37 d3vpoo1 Note Added: 0064465
2020-09-23 12:13 dregad Severity minor => major
2020-09-23 12:13 dregad Status acknowledged => confirmed
2020-09-23 12:13 dregad Target Version => 2.24.3
2020-09-23 12:13 dregad Description Updated View Revisions
2020-09-23 12:13 dregad Steps to Reproduce Updated View Revisions
2020-09-23 12:13 dregad Note Added: 0064473
2020-09-23 12:14 dregad Summary HTML Injection => HTML Injection in bug_actiongroup_page.php
2020-09-23 12:20 dregad Note Added: 0064474
2020-09-23 13:37 d3vpoo1 Note Added: 0064475
2020-09-23 17:22 dregad Status confirmed => assigned
2020-09-23 17:23 dregad Note Added: 0064476
2020-09-23 17:23 dregad File Added: 0001-Fix-XSS-in-bug_actiongroup_page.php.patch
2020-09-23 17:43 dregad Summary HTML Injection in bug_actiongroup_page.php => CVE-2020-25830: HTML Injection in bug_actiongroup_page.php
2020-09-23 17:43 dregad Note Added: 0064477
2020-09-25 13:27 dregad Changeset attached => MantisBT master-2.24 8c6f4d88
2020-09-25 13:27 dregad Status assigned => resolved
2020-09-25 13:27 dregad Resolution open => fixed
2020-09-25 13:27 dregad Fixed in Version => 2.24.3
2020-09-25 13:36 dregad View Status private => public
2020-09-25 14:53 dregad Status resolved => closed