View Issue Details

IDProjectCategoryView StatusLast Update
0022266mantisbtsecuritypublic2017-03-22 04:17
Reportervboctor Assigned Tovboctor  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version2.0.0-beta.1 
Target Version2.1.1Fixed in Version2.1.1 
Summary0022266: CVE-2017-7222: Sanitize window title
Description

The config option 'window_title' can include <script>alert(1);</script> or <img> tags and it will be rendered successfully. This is mitigated via:

  • CSP - doesn't make the code executed, but image would work.
  • window_title can only be set by trusted users.

Having said that, we should run this through sanitization anyway.

I was able to reproduce this on master, but haven't tried on 1.3.x.

TagsNo tags attached.

Relationships

related to 0022098 assignedsyncguru Setting bottom_include_page does not include specified file 

Activities

vboctor

vboctor

2017-02-12 18:59

manager   ~0055652

PR: https://github.com/mantisbt/mantisbt/pull/1030

dregad

dregad

2017-03-21 20:32

developer   ~0056152

Last edited: 2017-03-21 20:34

Just noticed this... being a security issue, we need to get a CVE ID assigned. I'll take care of it.

haven't tried on 1.3.x.

It can't affect 1.3.x, since layout API was introduced in 2.x as part of modern UI.

Issue was introduced in release 2.0.0-beta.1 MantisBT master 6a32ba7f

vboctor

vboctor

2017-03-21 21:54

manager   ~0056153

@dregad Since this is not exploitable because of CSP, is it still considered a security issue? If we still should create CVE, we should make it clear in the description that this would have no effect if CSP is enabled.

dregad

dregad

2017-03-22 04:17

developer   ~0056157

is it still considered a security issue

Yes. Not only can CSP be disabled, but also some older browsers do not support it.

we should make it clear in the description that this would have no effect if CSP is enabled

Absolutely. I always do.
In this specific case: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7222

Related Changesets

MantisBT: master-2.1 a85b0b96

2017-02-12 13:58

vboctor


Details Diff
Sanitize window title

The window title is not sanitized. That is not an issue when CSP is enable (default),
but if disabled, it can execute javascript that is set by a user who has access
to set configuration via Manage - Manage Configuration - Configuration Report page.

Fixes 0022266
Affected Issues
0022266
mod - core/layout_api.php Diff File