|
Message-ID: <m5h55a$vcj$1@ger.gmane.org> Date: Mon, 01 Dec 2014 08:25:33 +0100 From: Damien Regad <dregad@...tisbt.org> To: oss-security@...ts.openwall.com Subject: CVE Request: Multiple XSS vulnerabilities in MantisBT Greetings, Please assign CVE IDs for the following 5 issues. Thanks in advance D. Regad MantisBT Developer http://www.mantisbt.org 1. XSS in extended project browser ================================== MantisBT has two modes of operations to select the current project. The second of these, so-called the "extended project browser", is vulnerable to XSS attacks as the code did not check that a given subproject id is indeed an integer. This allows an attacker to execute arbitrary Javascript code by forging the MantisBT project cookie. Affected versions: >= 1.1.0a1, <= 1.2.17 Fixed in versions: 1.2.18 (not yet released) Patch: See Github [1] Credit: Issue was discovered by Paul Richards and fixed by Paul Richards and Damien Regad. References: Further details available in our issue tracker [2] [1] http://github.com/mantisbt/mantisbt/commit/511564cc [2] http://www.mantisbt.org/bugs/view.php?id=17890 2. XSS in projax_api.php ======================== The Projax library used in MantisBT 1.2.x does not properly escape html strings. An attacker could take advantage of this to perform an XSS attack using the profile/Platform field. Affected versions: >= 1.1.0a3, <= 1.2.17 Fixed in versions: 1.2.18 (not yet released) Patch: See Github [3] Credit: Issue was reported by Offensive Security via their bug bounty program (http://www.offensive-security.com/bug-bounty-program/). It was fixed by Paul Richards. References: Further details available in our issue tracker [4] [3] http://github.com/mantisbt/mantisbt/commit/0bff06ec [4] http://www.mantisbt.org/bugs/view.php?id=17583 3. XSS in admin panel / copy_field.php ====================================== Use of unsanitized parameters in this admin page allow an attacker to execute arbitrary JavaScript code. Affected versions: <= 1.2.17 Fixed in versions: 1.2.18 (not yet released) Patch: See Github [5] Credit: Issue was reported by Mathias Karlsson (http://mathiaskarlsson.me) as part of Offensive Security's bug bounty program [7]. It was fixed by Paul Richards. References: Further details available in our issue tracker [6] [5] http://github.com/mantisbt/mantisbt/commit/e5fc835a [6] http://www.mantisbt.org/bugs/view.php?id=17876 [7] http://www.offensive-security.com/bug-bounty-program/ 4. XSS in string_insert_hrefs() =============================== The URL matching regex in the string_insert_hrefs() function did not validate the protocol, allowing an attacker to use 'javascript://' to execute arbitrary code. Affected versions: >= 1.2.0a1, <= 1.2.17 Fixed in versions: 1.2.18 (not yet released) Patch: See Github [8] Credit: Issue was discovered by Mathias Karlsson (http://mathiaskarlsson.me) and reported by Offensive Security (http://www.offensive-security.com/). It was fixed by Damien Regad (MantisBT Developer). References: Further details available in our issue tracker [9] [8] http://github.com/mantisbt/mantisbt/commit/05378e00 [9] http://www.mantisbt.org/bugs/view.php?id=17297 5. XSS in file uploads ====================== An attacker could upload a malicious Flash file renamed to bear a recognized image extension (e.g. xss.swf ==> screenshot.png). Since by default MantisBT is configured to allow images to be displayed inline, it is possible to get the Flash to execute. Affected versions: <= 1.2.17 Fixed in versions: 1.2.18 (not yet released) Patch: See Github [10] Credit: Issue was reported by Mathias Karlsson (http://mathiaskarlsson.me) as part of Offensive Security's bug bounty program [7]. It was fixed by Damien Regad with contribution from Victor Boctor (MantisBT Developers). References: Further details available in our issue tracker [11] [10] http://github.com/mantisbt/mantisbt/commit/9fb8cf36f [11] http://www.mantisbt.org/bugs/view.php?id=17874
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.