Discussion:
CVE Request: Multiple XSS vulnerabilities in MantisBT
(too old to reply)
Damien Regad
2014-12-01 07:25:33 UTC
Permalink
Greetings,

Please assign CVE IDs for the following 5 issues.

Thanks in advance

D. Regad
MantisBT Developer
http://www.mantisbt.org


1. XSS in extended project browser
==================================

MantisBT has two modes of operations to select the current project. The
second of these, so-called the "extended project browser", is vulnerable
to XSS attacks as the code did not check that a given subproject id is
indeed an integer.

This allows an attacker to execute arbitrary Javascript code by forging
the MantisBT project cookie.
= 1.1.0a1, <= 1.2.17
Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [1]

Credit:
Issue was discovered by Paul Richards and fixed by Paul Richards and
Damien Regad.

References:
Further details available in our issue tracker [2]

[1] http://github.com/mantisbt/mantisbt/commit/511564cc
[2] http://www.mantisbt.org/bugs/view.php?id=17890


2. XSS in projax_api.php
========================

The Projax library used in MantisBT 1.2.x does not properly escape html
strings. An attacker could take advantage of this to perform an XSS
attack using the profile/Platform field.
= 1.1.0a3, <= 1.2.17
Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [3]

Credit:
Issue was reported by Offensive Security via their bug bounty program
(http://www.offensive-security.com/bug-bounty-program/).
It was fixed by Paul Richards.

References:
Further details available in our issue tracker [4]

[3] http://github.com/mantisbt/mantisbt/commit/0bff06ec
[4] http://www.mantisbt.org/bugs/view.php?id=17583


3. XSS in admin panel / copy_field.php
======================================

Use of unsanitized parameters in this admin page allow an attacker to
execute arbitrary JavaScript code.

Affected versions:
<= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [5]

Credit:
Issue was reported by Mathias Karlsson (http://mathiaskarlsson.me) as
part of Offensive Security's bug bounty program [7].
It was fixed by Paul Richards.

References:
Further details available in our issue tracker [6]

[5] http://github.com/mantisbt/mantisbt/commit/e5fc835a
[6] http://www.mantisbt.org/bugs/view.php?id=17876
[7] http://www.offensive-security.com/bug-bounty-program/


4. XSS in string_insert_hrefs()
===============================

The URL matching regex in the string_insert_hrefs() function did not
validate the protocol, allowing an attacker to use 'javascript://' to
execute arbitrary code.
= 1.2.0a1, <= 1.2.17
Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [8]

Credit:
Issue was discovered by Mathias Karlsson (http://mathiaskarlsson.me) and
reported by Offensive Security (http://www.offensive-security.com/).
It was fixed by Damien Regad (MantisBT Developer).

References:
Further details available in our issue tracker [9]

[8] http://github.com/mantisbt/mantisbt/commit/05378e00
[9] http://www.mantisbt.org/bugs/view.php?id=17297


5. XSS in file uploads
======================

An attacker could upload a malicious Flash file renamed to bear a
recognized image extension (e.g. xss.swf ==> screenshot.png). Since by
default MantisBT is configured to allow images to be displayed inline,
it is possible to get the Flash to execute.

Affected versions:
<= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Patch:
See Github [10]

Credit:
Issue was reported by Mathias Karlsson (http://mathiaskarlsson.me) as
part of Offensive Security's bug bounty program [7].
It was fixed by Damien Regad with contribution from Victor Boctor
(MantisBT Developers).

References:
Further details available in our issue tracker [11]

[10] http://github.com/mantisbt/mantisbt/commit/9fb8cf36f
[11] http://www.mantisbt.org/bugs/view.php?id=17874
c***@mitre.org
2014-12-04 18:20:15 UTC
Permalink
Post by Damien Regad
1. XSS in extended project browser
[1] http://github.com/mantisbt/mantisbt/commit/511564cc
[2] http://www.mantisbt.org/bugs/view.php?id=17890
Use CVE-2014-9269.
Post by Damien Regad
2. XSS in projax_api.php
[3] http://github.com/mantisbt/mantisbt/commit/0bff06ec
[4] http://www.mantisbt.org/bugs/view.php?id=17583
Use CVE-2014-9270.
Post by Damien Regad
3. XSS in admin panel / copy_field.php
[5] http://github.com/mantisbt/mantisbt/commit/e5fc835a
[6] http://www.mantisbt.org/bugs/view.php?id=17876
Use CVE-2014-9271.

Issues 3 and 5 are MERGED into the same CVE ID because they are the
same type of issue, affecting the same versions, disclosed at the same
time, and found by the same person.
Post by Damien Regad
4. XSS in string_insert_hrefs()
[8] http://github.com/mantisbt/mantisbt/commit/05378e00
[9] http://www.mantisbt.org/bugs/view.php?id=17297
Use CVE-2014-9272.
Post by Damien Regad
5. XSS in file uploads
[10] http://github.com/mantisbt/mantisbt/commit/9fb8cf36f
[11] http://www.mantisbt.org/bugs/view.php?id=17874
Use CVE-2014-9271.

Issues 3 and 5 are MERGED into the same CVE ID because they are the
same type of issue, affecting the same versions, disclosed at the same
time, and found by the same person.
Damien Regad
2014-12-05 08:10:00 UTC
Permalink
Post by c***@mitre.org
Issues 3 and 5 are MERGED into the same CVE ID because they are the
same type of issue, affecting the same versions, disclosed at the same
time, and found by the same person.
OK, noted.

Many thanks for assigning these CVEs.

Any chance that you could also assign CVE IDs to the following two issues
(requests were sent a week ago), I'm waiting for these to release 1.2.18.

- http://article.gmane.org/gmane.comp.security.oss.general/14952
- http://article.gmane.org/gmane.comp.security.oss.general/14953

Thanks in advance !
Paul Richards
2014-12-05 09:30:13 UTC
Permalink
Hello Mitre,

I believe your current analysis is incorrect, and that Damien's attribution
is incorrect.

Issue 17816 regarding copy fields -
http://www.mantisbt.org/bugs/view.php?id=17876 is a duplicate of 17362

The report in issue 17362 referred to a security issue in "5. Reflected XSS
in admin panel: PoC:
[MantisBT]/admin/test_langs.php?dest_id=<script>alert(1)</script>"

At that point my response was "In terms of number 5 - are you sure you
meant test_langs.php. In 1.3-master, there's an issue within copy_field.php
of doing something similar of:

admin/copy_field.php?source_id=1&dest_id="></a><script>alert()</script><b
style="" as I was already aware of an issue within copy_field.php

I should be able to supply a report confirming this later on.

The security researcher then came back and stated that he had indeed made
an error in his report and he did not mean test_langs.php

In this case, the line:

"Credit:
Issue was reported by Mathias Karlsson (http://mathiaskarlsson.me) as part
of Offensive Security's bug bounty program [7].
It was fixed by Paul Richards."

is in correct as the issue was identified by myself initially, then
subsequently identified (incorrectly) in the initial bug report.

As I need to be able to do a security bulletin regarding my find for the
XSS within copy_field.php, can you please tell me what CVE identifier to
use for this and ensure proper attribution?

Thanks in Advance
Paul
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
1. XSS in extended project browser
Post by Damien Regad
[1] http://github.com/mantisbt/mantisbt/commit/511564cc
[2] http://www.mantisbt.org/bugs/view.php?id=17890
Use CVE-2014-9269.
2. XSS in projax_api.php
Post by Damien Regad
[3] http://github.com/mantisbt/mantisbt/commit/0bff06ec
[4] http://www.mantisbt.org/bugs/view.php?id=17583
Use CVE-2014-9270.
3. XSS in admin panel / copy_field.php
Post by Damien Regad
[5] http://github.com/mantisbt/mantisbt/commit/e5fc835a
[6] http://www.mantisbt.org/bugs/view.php?id=17876
Use CVE-2014-9271.
Issues 3 and 5 are MERGED into the same CVE ID because they are the
same type of issue, affecting the same versions, disclosed at the same
time, and found by the same person.
4. XSS in string_insert_hrefs()
Post by Damien Regad
[8] http://github.com/mantisbt/mantisbt/commit/05378e00
[9] http://www.mantisbt.org/bugs/view.php?id=17297
Use CVE-2014-9272.
5. XSS in file uploads
Post by Damien Regad
[10] http://github.com/mantisbt/mantisbt/commit/9fb8cf36f
[11] http://www.mantisbt.org/bugs/view.php?id=17874
Use CVE-2014-9271.
Issues 3 and 5 are MERGED into the same CVE ID because they are the
same type of issue, affecting the same versions, disclosed at the same
time, and found by the same person.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)
iQEVAwUBVICkqKllVAevmvmsAQKuBQgAxVb3LZJ82oRHEpIKAGioXOw6bm1umxAh
CRzFnVZUrUpZFB3vIAjAcatJXXLjZmk0NSHqWeguZ08q95lS9ockXcyYaoS5UKWG
dyqPpZVCbhsmbSc8jf88IdT3EUAScdpof8dpCnYLSzRKdmq15GIYmYlnapms3+sK
6EhVvxwrv85Giu2b2KLAB/6cjV75ATDtBu6IFC7GJed+2kc7ef8eTmJoiGQ+mdtB
73ZGoykBlyBN5a6PVcfqPMtn58x6I8jUn4Oug382aKttVB5udp9ciRQSD0Yqdhv6
F9bUrVPMStuTdnk64F/JDYI9x001jjCah2DiW2IMBOodjvtUr+qgPw==
=wjH5
-----END PGP SIGNATURE-----
Damien Regad
2014-12-05 10:56:20 UTC
Permalink
Post by Paul Richards
Issue 17816 regarding copy fields -
http://www.mantisbt.org/bugs/view.php?id=17876 is a duplicate of 17362
Nit pick:
17876 is *not a duplicate* of 17362, it is just a child issue opened to
allow individual tracking and resolution of a vulnerability reported as part
of a group.

D
c***@mitre.org
2014-12-05 15:56:38 UTC
Permalink
Post by Paul Richards
Issue 17816 regarding copy fields -
We assume that you meant to say "Issue 17876" here.
Post by Paul Richards
"Credit: Issue was reported by Mathias Karlsson
(http://mathiaskarlsson.me) as part of Offensive Security's bug bounty
program [7]. It was fixed by Paul Richards."
is in correct as the issue was identified by myself initially, then
subsequently identified (incorrectly) in the initial bug report.
In this case, it is acceptable to assign a different ID to reflect the
different research organizations, since there is not a new release
yet.

Use CVE-2014-9281 [sic] for the copy_field.php issue, originally
incorrectly reported for test_langs.php (bug 17876).

Continue to use CVE-2014-9271 for the file uploads issue (bug 17874).

- ---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Damien Regad
2014-12-05 20:33:33 UTC
Permalink
Post by c***@mitre.org
Use CVE-2014-9281 [sic] for the copy_field.php issue, originally
incorrectly reported for test_langs.php (bug 17876).
Continue to use CVE-2014-9271 for the file uploads issue (bug 17874).
The two issues in our tracker have been updated accordingly.

Loading...