oss-sec mailing list archives
CVE Request: Multiple XSS vulnerabilities in MantisBT
From: Damien Regad <dregad () mantisbt org>
Date: Mon, 01 Dec 2014 08:25:33 +0100
Greetings, Please assign CVE IDs for the following 5 issues. Thanks in advance D. Regad MantisBT Developer http://www.mantisbt.org 1. XSS in extended project browser ==================================MantisBT has two modes of operations to select the current project. The second of these, so-called the "extended project browser", is vulnerable to XSS attacks as the code did not check that a given subproject id is indeed an integer.
This allows an attacker to execute arbitrary Javascript code by forging the MantisBT project cookie.
Affected versions: >= 1.1.0a1, <= 1.2.17 Fixed in versions: 1.2.18 (not yet released) Patch: See Github [1] Credit:Issue was discovered by Paul Richards and fixed by Paul Richards and Damien Regad.
References: Further details available in our issue tracker [2] [1] http://github.com/mantisbt/mantisbt/commit/511564cc [2] http://www.mantisbt.org/bugs/view.php?id=17890 2. XSS in projax_api.php ========================The Projax library used in MantisBT 1.2.x does not properly escape html strings. An attacker could take advantage of this to perform an XSS attack using the profile/Platform field.
Affected versions: >= 1.1.0a3, <= 1.2.17 Fixed in versions: 1.2.18 (not yet released) Patch: See Github [3] Credit:Issue was reported by Offensive Security via their bug bounty program (http://www.offensive-security.com/bug-bounty-program/).
It was fixed by Paul Richards. References: Further details available in our issue tracker [4] [3] http://github.com/mantisbt/mantisbt/commit/0bff06ec [4] http://www.mantisbt.org/bugs/view.php?id=17583 3. XSS in admin panel / copy_field.php ======================================Use of unsanitized parameters in this admin page allow an attacker to execute arbitrary JavaScript code.
Affected versions: <= 1.2.17 Fixed in versions: 1.2.18 (not yet released) Patch: See Github [5] Credit:Issue was reported by Mathias Karlsson (http://mathiaskarlsson.me) as part of Offensive Security's bug bounty program [7].
It was fixed by Paul Richards. References: Further details available in our issue tracker [6] [5] http://github.com/mantisbt/mantisbt/commit/e5fc835a [6] http://www.mantisbt.org/bugs/view.php?id=17876 [7] http://www.offensive-security.com/bug-bounty-program/ 4. XSS in string_insert_hrefs() ===============================The URL matching regex in the string_insert_hrefs() function did not validate the protocol, allowing an attacker to use 'javascript://' to execute arbitrary code.
Affected versions: >= 1.2.0a1, <= 1.2.17 Fixed in versions: 1.2.18 (not yet released) Patch: See Github [8] Credit:Issue was discovered by Mathias Karlsson (http://mathiaskarlsson.me) and reported by Offensive Security (http://www.offensive-security.com/).
It was fixed by Damien Regad (MantisBT Developer). References: Further details available in our issue tracker [9] [8] http://github.com/mantisbt/mantisbt/commit/05378e00 [9] http://www.mantisbt.org/bugs/view.php?id=17297 5. XSS in file uploads ======================An attacker could upload a malicious Flash file renamed to bear a recognized image extension (e.g. xss.swf ==> screenshot.png). Since by default MantisBT is configured to allow images to be displayed inline, it is possible to get the Flash to execute.
Affected versions: <= 1.2.17 Fixed in versions: 1.2.18 (not yet released) Patch: See Github [10] Credit:Issue was reported by Mathias Karlsson (http://mathiaskarlsson.me) as part of Offensive Security's bug bounty program [7]. It was fixed by Damien Regad with contribution from Victor Boctor (MantisBT Developers).
References: Further details available in our issue tracker [11] [10] http://github.com/mantisbt/mantisbt/commit/9fb8cf36f [11] http://www.mantisbt.org/bugs/view.php?id=17874
Current thread:
- CVE Request: Multiple XSS vulnerabilities in MantisBT Damien Regad (Nov 30)
- Re: CVE Request: Multiple XSS vulnerabilities in MantisBT cve-assign (Dec 04)
- Re: CVE Request: Multiple XSS vulnerabilities in MantisBT Damien Regad (Dec 05)
- Re: CVE Request: Multiple XSS vulnerabilities in MantisBT Paul Richards (Dec 05)
- Re: CVE Request: Multiple XSS vulnerabilities in MantisBT Damien Regad (Dec 05)
- Re: CVE Request: Multiple XSS vulnerabilities in MantisBT cve-assign (Dec 05)
- Re: CVE Request: Multiple XSS vulnerabilities in MantisBT Damien Regad (Dec 05)
- Re: CVE Request: Multiple XSS vulnerabilities in MantisBT cve-assign (Dec 04)