View Issue Details

IDProjectCategoryView StatusLast Update
0025995mantisbtsecuritypublic2019-08-25 07:07
ReporterKamranSaifullah Assigned Todregad  
PriorityimmediateSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.13.0 
Target Version2.21.2Fixed in Version2.21.2 
Summary0025995: CVE-2019-15074: Stored XSS Vulnerability in Timeline
Description

Hi,

I am Kamran Saifullah an independent security researcher. I have found a vulnerability which is affecting the current version of MantisHub.

The issue is Stored Cross Site Scripting Vulnerability. We can add the attachments with the issue but if an attacker tried to inject javascript in the name of the attachment. The error will be prompted every time user logs into the account and/or tries to refresh the page. It is also possible to steal the user's cookies as well.

Screenshot is attached!

Steps To Reproduce
  1. Create an Issue
  2. Go to that Issue
  3. Create a file with name ("><img src=x onerror=prompt(1);>) with .jpg
  4. Attach the file with the issue.
  5. Go to the home page.
  6. An error will prompt every time page is refreshed and/or user is logged into the account.
Additional Information

none

TagsNo tags attached.
Attached Files
unnamed.jpg (83,581 bytes)   
unnamed.jpg (83,581 bytes)   

Relationships

related to 0023161 closeddregad Show File Attachment events in Timeline 
related to 0026078 closedatrol CVE-2019-15539: Stored XSS on Project Documentation 

Activities

atrol

atrol

2019-08-14 14:49

developer   ~0062572

@dregad I don't have time to provide a proper fix, but changing line 76 of IssueAttachmentTimelineEvent.class.php to something like the following line should fix the issue

                string_html_specialchars ( $this->filename )
atrol

atrol

2019-08-14 15:00

developer   ~0062573

@KamranSaifullah thanks for reporting the issue.

When using standard MantisBT the issue should just occur when using browsers that don't support CSP headers.

@vboctor maybe MantisHub is another story as you might have changed CSP headers.

dregad

dregad

2019-08-15 04:07

developer   ~0062578

Thanks for the heads up @atrol, not sure how I missed that one yesterday. I'll look into it.

@KamranSaifullah thanks for your research and letting us know about this issue. Did you already reserve a CVE for this ? If so, let me know the ID; otherwise I'll take care of it, and let me know how you would like to be credited for the finding.

dregad

dregad

2019-08-15 04:31

developer   ~0062579

  1. Create a file with name ("><img src=x onerror=prompt(1);>) with .jpg

As a side note, creating such a file is not possible under Windows, as \ / : * ? &quot; &lt; > | are not valid characters for file names.

dregad

dregad

2019-08-15 04:43

developer   ~0062580

Introduced by MantisBT master 1f608f6b as part of 0023161

atrol

atrol

2019-08-15 04:51

developer   ~0062581

not sure how I missed that one yesterday

Maybe because the issue has been reported in project Plugin - Time Tracking.
I moved to mantisbt

KamranSaifullah

KamranSaifullah

2019-08-15 05:09

reporter   ~0062582

@dregad no i haven't received any CVE you can proceed and yes you can credit me for that. Looking forward.

dregad

dregad

2019-08-15 05:09

developer   ~0062583

The attached patch fixes the issue. @KamranSaifullah waiting for your confirmation about the CVE (0025995:0062578).

0001-Fix-XSS-on-timeline.patch (1,295 bytes)   
From a61c38bda5bc77e74477f7e9e42cc10c2082adaa Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Thu, 15 Aug 2019 10:53:18 +0200
Subject: [PATCH] Fix XSS on timeline (CVE-2019-xxxx)

Kamran Saifullah reported a stored cross-site scripting (XSS)
vulnerability in Timeline, allowing execution of arbitrary code (if CSP
settings permit it) after uploading an attachment with a crafted
filename. The code is executed for any user having visibility to the
issue, whenever My View Page is displayed.

Prevent the attack by sanitizing the filename before display.

Fixes #25995
---
 core/classes/IssueAttachmentTimelineEvent.class.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/classes/IssueAttachmentTimelineEvent.class.php b/core/classes/IssueAttachmentTimelineEvent.class.php
index 8e0425df4..2a6123d87 100644
--- a/core/classes/IssueAttachmentTimelineEvent.class.php
+++ b/core/classes/IssueAttachmentTimelineEvent.class.php
@@ -73,7 +73,7 @@ class IssueAttachmentTimelineEvent extends TimelineEvent {
 			. sprintf( lang_get( $t_string ),
 				prepare_user_name( $this->user_id ),
 				$t_bug_link,
-				$this->filename
+				string_html_specialchars( $this->filename )
 			)
 			. '</div>';
 		$t_html .= $this->html_end();
-- 
2.19.1.windows.1

0001-Fix-XSS-on-timeline.patch (1,295 bytes)   
KamranSaifullah

KamranSaifullah

2019-08-15 05:09

reporter   ~0062584

@dregad no i haven't received any CVE you can proceed and yes you can credit me for that. Looking forward.

Thank you @atrol and the team for the quick fix :D

dregad

dregad

2019-08-15 05:10

developer   ~0062585

cross-post... OK I'll take care of it.

KamranSaifullah

KamranSaifullah

2019-08-15 05:11

reporter   ~0062586

Last edited: 2019-08-15 05:15

Thank you @dregad, i will surely be waiting :))

dregad

dregad

2019-08-15 08:12

developer   ~0062587

CVE Request 741408 sent to MITRE

dregad

dregad

2019-08-15 10:26

developer   ~0062594

CVE-2019-15074 assigned.

KamranSaifullah

KamranSaifullah

2019-08-15 12:39

reporter   ~0062595

Thank you very much @dregad! The CVE shows that it has been assigned/reserved and is not populated yet. Right?

dregad

dregad

2019-08-15 12:59

developer   ~0062596

That's correct. I will inform MITRE to make it public, once we've released 2.21.2 with the patch.
Considering the severity of the bug, it gives our users a chance to update their systems before the CVE goes out.

KamranSaifullah

KamranSaifullah

2019-08-15 13:00

reporter   ~0062597

That's great! This is my first ever CVE. Thank @dregad :D

Related Changesets

MantisBT: master-2.21 9cee1971

2019-08-15 00:53

dregad


Details Diff
Fix XSS on timeline (CVE-2019-15074)

Kamran Saifullah reported a stored cross-site scripting (XSS)
vulnerability in Timeline, allowing execution of arbitrary code (if CSP
settings permit it) after uploading an attachment with a crafted
filename. The code is executed for any user having visibility to the
issue, whenever My View Page is displayed.

Prevent the attack by sanitizing the filename before display.

Fixes 0025995
Affected Issues
0025995
mod - core/classes/IssueAttachmentTimelineEvent.class.php Diff File