Bug 448404 (CVE-2008-3331)

Summary: CVE-2008-3331 mantis: XSS in return_dynamic_filters.php
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: giallu, jreese, rh-bugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-28 08:55:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-05-26 15:06:02 UTC 
Antonio "s4tan" Parata and Francesco "ascii" Ongaro discovered that mantis 1.1.1
is prone to the XSS attack in return_dynamic_filters.php via filter_target
parameter:

  A) XSS Vulnerabilities

  We have found an XSS vulnerability in return_dynamic_filters.php. In
  order to exploit this vulnerability the attacker must be authenticated.
  Usually the anonymous user is allowed on typical installation, so the
  impact is a bit higher. The following url is a proof of concept:

  http://www.example.com/mantis/return_dynamic_filters.php?filter_target=
  <script>alert(document.cookie);</script>

References:
http://marc.info/?l=bugtraq&m=121130774617956&w=4
http://www.ush.it/team/ush/hack-mantis111/adv.txt

Upstream bug reports (currently restricted):
http://www.mantisbt.org/bugs/view.php?id=8974
http://www.mantisbt.org/bugs/view.php?id=8977

Upstream commit in 1.1 SVN branch:
http://mantisbt.svn.sourceforge.net/viewvc/mantisbt?view=rev&revision=5116
Comment 1 Tomas Hoger 2008-05-26 15:15:42 UTC 
While looking for the patch for this issue, I've noticed another commit fixing
XSS issue in account_sponsor_page.php:

http://mantisbt.svn.sourceforge.net/viewvc/mantisbt?view=rev&revision=5135
Comment 2 Fedora Update System 2008-07-19 22:10:54 UTC 
mantis-1.1.2-1.fc9 has been submitted as an update for Fedora 9
Comment 3 Fedora Update System 2008-07-19 22:14:37 UTC 
mantis-1.1.2-1.fc8 has been submitted as an update for Fedora 8
Comment 4 Fedora Update System 2008-07-23 07:20:10 UTC 
mantis-1.1.2-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2008-07-23 07:21:40 UTC 
mantis-1.1.2-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Tomas Hoger 2008-07-28 08:53:55 UTC 
CVE-2008-3331:
Cross-site scripting (XSS) vulnerability in return_dynamic_filters.php
in Mantis before 1.1.2 allows remote attackers to inject arbitrary web
script or HTML via the filter_target parameter.
Comment 7 Red Hat Product Security 2008-07-28 08:55:20 UTC 
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6657
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-6647