View Issue Details

IDProjectCategoryView StatusLast Update
0027056mantisbtsecuritypublic2020-09-11 09:02
Reporterhanno Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version2.1.0 
Target Version2.24.2Fixed in Version2.24.2 
Summary0027056: CVE-2020-16266: HTML injection (maybe XSS) via custom field on view_all_bug_page.php
Description

The content of the filter variable in the view of the view_all_bug_page.php is not filtered, allowing a thirdparty to inject HTML.

This would usually be a Cross Site Scripting Vulnerability, but the Content Security Policy header blocks executing scripts. However it might still be possible to achieve XSS by invoking functionality from the bundled javascript libraries.

The output should be properly html-escaped.

Steps To Reproduce
  1. Create a custom string type field.
  2. Create a form that sends HTML code in the custom field 1 value (see poc).

poc:
<form action="https://[hostname]/view_all_set.php?f=3&quot; method="POST">
<input name="custom_field_1[]" value="<h1 style=color:red>INJECTION</h1>">
<input type=submit>
</form>

TagsNo tags attached.

Relationships

related to 0021935 closedcproensa Filter api refactoring, manage stored filters 
related to 0027275 closeddregad CVE-2020-25288: HTML Injection on bug_update_page.php 

Activities

dregad

dregad

2020-06-22 03:37

developer   ~0064114

Thanks for the bug report, I'll have a look at it.

Did you request a CVE for the issue ? If so, please let us know the ID; otherwise we'll take care of it. How would you like to be credited for the finding ?

dregad

dregad

2020-06-22 06:21

developer   ~0064116

Confirmed HTML injection it is ! (and potential XSS if CSP settings allow)

image.png (12,504 bytes)   
image.png (12,504 bytes)   
dregad

dregad

2020-06-22 06:52

developer   ~0064118

print_filter_values_custom_field() function seems to be the most appropriate place to add the escaping - @cproensa, what do you think ?

diff --git a/core/filter_form_api.php b/core/filter_form_api.php
index 6280cabbb..114deaa0d 100644
--- a/core/filter_form_api.php
+++ b/core/filter_form_api.php
@@ -1855,7 +1855,7 @@ function print_filter_values_custom_field( array $p_filter, $p_field_id ) {
            if( filter_field_is_none( $t_val ) ) {
                $t_strings[] = lang_get( 'none' );
            } else {
-               $t_strings[] = $t_val;
+               $t_strings[] = string_attribute( $t_val );
            }
            $t_inputs[] = '&lt;input type=&quot;hidden&quot; name=&quot;custom_field_' . $p_field_id . '[]&quot; value=&quot;' . string_attribute( >        }
hanno

hanno

2020-06-22 06:54

reporter   ~0064119

One addition: I haven't discovered this myself, this was reported to me because I run a public mantis instance which is covered by a (non-payment) bug bounty.

I just ask the finder if he wants to be publicly credited for this.

dregad

dregad

2020-06-22 07:17

developer   ~0064120

Problem exists since refactoring of filter display in Mantis 2.1.0 (see 0021935)

hanno

hanno

2020-07-04 02:47

reporter   ~0064150

Finder of the vulnerability is Jaime Andrés Restrepo, please credit him accordingly when publishing an update + security advisory.

dregad

dregad

2020-08-03 05:32

developer   ~0064220

CVE request 938519 sent

dregad

dregad

2020-08-03 12:08

developer   ~0064222

CVE-2020-16266 assigned.

Related Changesets

MantisBT: master 9ef8f23a

2020-06-22 06:55:46

dregad

Details Diff
Fix XSS in view_all_bug_page.php (CVE-2020-16266)

Hanno Boeck reported a stored cross-site scripting (XSS) vulnerability,
originally discovered by Jaime Andres Restrepo.

Improper escaping on view_all_bug_page.php allowed a remote attacker to
inject arbitrary HTML into the page by saving it into a text Custom
Field, leading to possible code execution in the browser of any user
subsequently viewing the issue (if CSP settings allow it).

Prevent the attack by properly escaping the custom field's contents
before display.

Fixes 0027056
Affected Issues
0027056
mod - core/filter_form_api.php Diff File

Issue History

Date Modified Username Field Change
2020-06-21 02:29 hanno New Issue
2020-06-22 03:37 dregad Status new => acknowledged
2020-06-22 03:37 dregad Note Added: 0064114
2020-06-22 06:21 dregad Note Added: 0064116
2020-06-22 06:21 dregad File Added: image.png
2020-06-22 06:21 dregad Assigned To => dregad
2020-06-22 06:21 dregad Status acknowledged => confirmed
2020-06-22 06:52 dregad Status confirmed => assigned
2020-06-22 06:52 dregad Note Added: 0064118
2020-06-22 06:54 hanno Note Added: 0064119
2020-06-22 07:17 dregad Product Version 2.24.1 => 2.1.0
2020-06-22 07:17 dregad Target Version => 2.24.2
2020-06-22 07:17 dregad Steps to Reproduce Updated View Revisions
2020-06-22 07:17 dregad Note Added: 0064120
2020-06-22 07:17 dregad Relationship added related to 0021935
2020-07-04 02:47 hanno Note Added: 0064150
2020-08-03 05:32 dregad Note Added: 0064220
2020-08-03 12:08 dregad Summary HTML injection (maybe XSS) via custom field on view_all_bug_page.php => CVE-2020-16266: HTML injection (maybe XSS) via custom field on view_all_bug_page.php
2020-08-03 12:08 dregad Note Added: 0064222
2020-08-07 20:10 dregad Changeset attached => MantisBT master 9ef8f23a
2020-08-07 20:10 dregad Status assigned => resolved
2020-08-07 20:10 dregad Resolution open => fixed
2020-08-07 20:10 dregad Fixed in Version => 2.25.0
2020-08-07 20:24 dregad Fixed in Version 2.25.0 => 2.24.2
2020-08-07 20:25 dregad Status resolved => closed
2020-08-09 08:06 dregad View Status private => public
2020-09-11 09:02 dregad Relationship added related to 0027275