View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0006002 | mantisbt | security | public | 2005-07-23 21:47 | 2006-10-09 11:55 |
Reporter | joxeanpiti | Assigned To | thraxisp | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | duplicate | ||
Summary | 0006002: Cross Site Scripting Vulnerabilty when deleting a bug | ||||
Description | A Cross Site Scripting Vulnerability was found in the script /bug_actiongroup_page.php when deleting it from the /view_all_bug_page.php. | ||||
Additional Information | Steps to reproduce: 1.- Insert a bug with the following summary: 2.- Find it in the /view_all_bug_page.php 3.- Click the checkbox, select delete from the drop down list bellow and click Ok. 4.- In the next screen you will see a JavaScript 'alert' message. | ||||
Tags | No tags attached. | ||||
Attached Files | 0006002.patch (712 bytes)
--- bug_actiongroup_page.orig 2005-07-24 04:14:11.000000000 +0200 +++ bug_actiongroup_page.php 2005-07-24 04:13:31.000000000 +0200 @@ -114,7 +114,7 @@ foreach( $f_bug_arr as $t_bug_id ) { $t_class = sprintf( "row-%d", ($t_i++ % 2) + 1 ); $t_bug_rows .= sprintf( "<tr bgcolor=\"%s\"> <td>%s</td> <td>%s</td> </tr>\n" - , get_status_color( bug_get_field( $t_bug_id, 'status' ) ), string_get_bug_view_link( $t_bug_id ), bug_get_field( $t_bug_id, 'summary' ) + , get_status_color( bug_get_field( $t_bug_id, 'status' ) ), string_get_bug_view_link( $t_bug_id ), htmlentities(bug_get_field( $t_bug_id, 'summary' )) ); echo '<input type="hidden" name="bug_arr[]" value="' . $t_bug_id . '" />' . "\n"; } | ||||
Agh! I click accidentally the Sponsor button! |
|
I have been attached a patch for the issue called 0006002.patch. This vulnerability may be considered non exploitable but an attacker can use the following method to force an administrator to delete a bug (or bugs)from the view_all_bug.php page: 1.- Insert 8 fake bugs that sends the cookie to a fake systems |
|
joxeanpiti, please type 0 in the sponsorship field and click sponsor. This will remove your sponsorship. |
|
Actually, this is a duplicate of 0005751. It was fixed about 6 weeks ago, and is included in 1.0.0rc1. If you can remove your sponsorship, we can close this. |
|