View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0025995 | mantisbt | security | public | 2019-08-14 03:44 | 2019-08-25 07:07 |
Reporter | KamranSaifullah | Assigned To | dregad | ||
Priority | immediate | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2.13.0 | ||||
Target Version | 2.21.2 | Fixed in Version | 2.21.2 | ||
Summary | 0025995: CVE-2019-15074: Stored XSS Vulnerability in Timeline | ||||
Description | Hi, I am Kamran Saifullah an independent security researcher. I have found a vulnerability which is affecting the current version of MantisHub. The issue is Stored Cross Site Scripting Vulnerability. We can add the attachments with the issue but if an attacker tried to inject javascript in the name of the attachment. The error will be prompted every time user logs into the account and/or tries to refresh the page. It is also possible to steal the user's cookies as well. Screenshot is attached! | ||||
Steps To Reproduce |
| ||||
Additional Information | none | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
@dregad I don't have time to provide a proper fix, but changing line 76 of IssueAttachmentTimelineEvent.class.php to something like the following line should fix the issue |
|
@KamranSaifullah thanks for reporting the issue. When using standard MantisBT the issue should just occur when using browsers that don't support CSP headers. @vboctor maybe MantisHub is another story as you might have changed CSP headers. |
|
Thanks for the heads up @atrol, not sure how I missed that one yesterday. I'll look into it. @KamranSaifullah thanks for your research and letting us know about this issue. Did you already reserve a CVE for this ? If so, let me know the ID; otherwise I'll take care of it, and let me know how you would like to be credited for the finding. |
|
As a side note, creating such a file is not possible under Windows, as |
|
Introduced by MantisBT master 1f608f6b as part of 0023161 |
|
Maybe because the issue has been reported in project |
|
@dregad no i haven't received any CVE you can proceed and yes you can credit me for that. Looking forward. |
|
The attached patch fixes the issue. @KamranSaifullah waiting for your confirmation about the CVE (0025995:0062578). 0001-Fix-XSS-on-timeline.patch (1,295 bytes)
From a61c38bda5bc77e74477f7e9e42cc10c2082adaa Mon Sep 17 00:00:00 2001 From: Damien Regad <dregad@mantisbt.org> Date: Thu, 15 Aug 2019 10:53:18 +0200 Subject: [PATCH] Fix XSS on timeline (CVE-2019-xxxx) Kamran Saifullah reported a stored cross-site scripting (XSS) vulnerability in Timeline, allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. The code is executed for any user having visibility to the issue, whenever My View Page is displayed. Prevent the attack by sanitizing the filename before display. Fixes #25995 --- core/classes/IssueAttachmentTimelineEvent.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/classes/IssueAttachmentTimelineEvent.class.php b/core/classes/IssueAttachmentTimelineEvent.class.php index 8e0425df4..2a6123d87 100644 --- a/core/classes/IssueAttachmentTimelineEvent.class.php +++ b/core/classes/IssueAttachmentTimelineEvent.class.php @@ -73,7 +73,7 @@ class IssueAttachmentTimelineEvent extends TimelineEvent { . sprintf( lang_get( $t_string ), prepare_user_name( $this->user_id ), $t_bug_link, - $this->filename + string_html_specialchars( $this->filename ) ) . '</div>'; $t_html .= $this->html_end(); -- 2.19.1.windows.1 |
|
@dregad no i haven't received any CVE you can proceed and yes you can credit me for that. Looking forward. Thank you @atrol and the team for the quick fix :D |
|
cross-post... OK I'll take care of it. |
|
Thank you @dregad, i will surely be waiting :)) |
|
CVE Request 741408 sent to MITRE |
|
CVE-2019-15074 assigned. |
|
Thank you very much @dregad! The CVE shows that it has been assigned/reserved and is not populated yet. Right? |
|
That's correct. I will inform MITRE to make it public, once we've released 2.21.2 with the patch. |
|
That's great! This is my first ever CVE. Thank @dregad :D |
|
MantisBT: master-2.21 9cee1971 2019-08-15 00:53 Details Diff |
Fix XSS on timeline (CVE-2019-15074) Kamran Saifullah reported a stored cross-site scripting (XSS) vulnerability in Timeline, allowing execution of arbitrary code (if CSP settings permit it) after uploading an attachment with a crafted filename. The code is executed for any user having visibility to the issue, whenever My View Page is displayed. Prevent the attack by sanitizing the filename before display. Fixes 0025995 |
Affected Issues 0025995 |
|
mod - core/classes/IssueAttachmentTimelineEvent.class.php | Diff File |