View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0028552 | mantisbt | security | public | 2021-05-15 05:51 | 2021-06-17 12:41 |
Reporter | Feras | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Target Version | 2.25.2 | Fixed in Version | 2.25.2 | ||
Summary | 0028552: CVE-2021-33557: XSS in manage_custom_field_edit_page.php | ||||
Description | I noticed that there is a wrong sanitizer can lead to XSS. in file manage_custom_field_edit_page.php
Here if the input was (" onfocus="alert(1)" autofocus=") then alert will be executed. Originally reported by @Feras in ~65513 | ||||
Tags | No tags attached. | ||||
I am not able to reproduce with the given indications. As far as I know, hidden inputs can't get focus [1], but there may be other ways to trigger code execution. This return parameter does not seem to be used anywhere in the code, looks like a leftover from a very old change (see MantisBT master 81ad05d4). So I'm thinking it is probably best to simply get rid of it, rather than add a string_attribute() call. |
|
Thank you for opening a new issue. I checked the current case and it is true that it is not possible to work with the hidden input. But there is a case that attacker can play around when he pass with ´return´ with this value " accesskey="Y" onclick="alert(1)" autofocus=" link example: http://localhost/mantisbt-2.25.1/manage_custom_field_edit_page.php?field_id=1&return=" accesskey="Y" onclick="alert(1)" autofocus=" Then we will have this line in the html page
And if the attacker ask the user to press Alt + shift + Y. Then the script will be executed. Note1: It works for me on Firefox but it is not working on Chrome. Note2: We still have the CSP as a second protection. |
|
@Feras I'm going to request a CVE for this issue, how would you like to be credited for the finding ? |
|
I sent the CVE request form, will update the issue when I hear back from MITRE. Until then, please find attached a patch that should address the vulnerability.
This will be reintroduced as part of 0028557 0001-Fix-XSS-on-manage_custom_field_edit_page.php.patch (1,322 bytes)
From e1667bf81c9cc49738df467bc55ef68049357917 Mon Sep 17 00:00:00 2001 From: Damien Regad <dregad@mantisbt.org> Date: Sat, 15 May 2021 15:43:09 +0200 Subject: [PATCH] Fix XSS on manage_custom_field_edit_page.php Thanks to Feras AL-KASSAR (SAP) <en.feras@hotmail.com> who reported this vulnerability, which was discovered in the context of the EU research project TESTABLE. Unescaped output of 'return' parameter allows an attacker to inject code into a hidden input field in the manage-custom-field-update-form. Fixes #28552, CVE-xxx --- manage_custom_field_edit_page.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manage_custom_field_edit_page.php b/manage_custom_field_edit_page.php index 02126294f..743d92fed 100644 --- a/manage_custom_field_edit_page.php +++ b/manage_custom_field_edit_page.php @@ -87,7 +87,7 @@ $t_definition = custom_field_get_definition( $f_field_id ); <fieldset> <?php echo form_security_field( 'manage_custom_field_update' ); ?> <input type="hidden" name="field_id" value="<?php echo $f_field_id ?>" /> - <input type="hidden" name="return" value="<?php echo $f_return ?>" /> + <input type="hidden" name="return" value="<?php echo string_attribute( $f_return ); ?>" /> <table class="table table-bordered table-condensed table-striped"> <tr> -- 2.25.1 |
|
CVE-2021-33557 assigned. |
|
For some reason MITRE assigned a 2nd CVE ID to this issue: CVE-2021-33812. I wrote to them so it gets flagged as duplicate and cancelled. |
|
MantisBT: master-2.25 03dd3722 2021-05-15 05:43 Details Diff |
Fix XSS on manage_custom_field_edit_page.php Thanks to Feras AL-KASSAR (SAP) <en.feras@hotmail.com> who reported this vulnerability, which was discovered in the context of the EU research project TESTABLE. Unescaped output of 'return' parameter allows an attacker to inject code into a hidden input field in the manage-custom-field-update-form. Fixes 0028552, CVE-2021-33557 |
Affected Issues 0028552 |
|
mod - manage_custom_field_edit_page.php | Diff File |