View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0024731 | mantisbt | security | public | 2018-09-03 15:25 | 2018-09-25 04:19 |
Reporter | geeknik | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Target Version | 2.17.1 | Fixed in Version | 2.17.1 | ||
Summary | 0024731: CVE-2018-16514: Reflected XSS in view_filters_page.php via core/filter_form_api.php | ||||
Description | On sites that do not have CORS security headers or poorly-configured CORS headers (or for users of Internet Explorer 10, 11 and maybe Edge?), there exists a reflected XSS flaw in view_filters_page.php, which I believe is enabled by bad code in core/filter_form_api.php starting at Line 0002779: https://github.com/mantisbt/mantisbt/blob/006cd0cd90c37097e1a065fd3e59ce2534490834/core/filter_form_api.php#L2779 On sites that do have properly configured CORS headers (and browsers that care about CORS headers), this will show up in the Firefox web console: Even still, the code is still reflected back across the TD cells despite the browser refusing to execute it: | ||||
Steps To Reproduce | https://mantisbt.org/bugs/view_filters_page.php/"onmouseover%3d'prompt(1)'bad%3d" | ||||
Additional Information | I've attached a screenshot showing the flaw being reproduced on this very site with IE 11.0.9600.19100. | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Screenshot. |
|
Thanks for the detailed bug report. We will look into it. Did you request a CVE for this ? If not, should we take care of it ? How would you like to be credited for the finding ? |
|
This is very similar to 0024580 - the attack vector is slightly different (onmouseover) |
|
I can reproduce the problem. It is indeed the same root cause as 0024580, i.e. use of It's worth mentioning that the same vulnerability also is also present in manage_filter_edit_page.php : I think we just need to get rid of using PHP_SELF. |
|
CVE Request 563901 sent to MITRE |
|
Proposed fix, please review 0001-Use-SCRIPT_NAME-instead-of-PHP_SELF.patch (1,104 bytes)
From 66091a42626631a3063774eb0fb8a4218ab22fd4 Mon Sep 17 00:00:00 2001 From: Damien Regad <dregad@mantisbt.org> Date: Wed, 5 Sep 2018 01:39:06 +0200 Subject: [PATCH] Use SCRIPT_NAME instead of PHP_SELF Fix XSS in view_filters_page.php and manage_filter_edit_page.php Fixes #24731 --- core/filter_form_api.php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/core/filter_form_api.php b/core/filter_form_api.php index 05d5c39e1..7b38752fd 100644 --- a/core/filter_form_api.php +++ b/core/filter_form_api.php @@ -2393,10 +2393,9 @@ function filter_form_draw_inputs( $p_filter, $p_for_screen = true, $p_static = f } if( null === $p_static_fallback_page ) { - $p_static_fallback_page = $_SERVER['PHP_SELF']; - $p_static_fallback_page = string_sanitize_url( $_SERVER['PHP_SELF'] ); + $p_static_fallback_page = $_SERVER['SCRIPT_NAME']; } - $t_filters_url = $p_static_fallback_page; + $t_filters_url = helper_mantis_url( $p_static_fallback_page ); $t_get_params = $_GET; $t_get_params['for_screen'] = $p_for_screen; $t_get_params['static'] = ON; -- 2.16.1.windows.1 |
|
Did a few tests. |
|
dregad, can you credit Brian Carpenter - Geeknik Labs? Thank you. |
|
CVE-2018-16514 assigned |
|