Bug 633003 (CVE-2010-2574)

Summary: CVE-2010-2574 Mantis: XSS in Add Category action.
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: d, giallu, sven
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-17 23:46:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 634341    
Bug Blocks:    

Description Jan Lieskovsky 2010-09-12 12:30:17 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2574 to
the following vulnerability:

Cross-site scripting (XSS) vulnerability in manage_proj_cat_add.php in 
MantisBT 1.2.2 allows remote authenticated administrators to inject 
arbitrary web script or HTML via the name parameter in an Add Category 
action.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2574
[2] http://www.securityfocus.com/archive/1/archive/1/512886/100/0/threaded
[3] http://secunia.com/secunia_research/2010-103/
[4] http://secunia.com/advisories/40832

Upstream changeset:
[5] http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff;h=083c34f06ca927b16e781bae3ae324f450c35ea4

Comment 1 Jan Lieskovsky 2010-09-12 12:37:33 UTC
The relevant code part in Mantis package, as shipped with Fedora
release of 12 and 13 is slightly different:

BUILD/mantisbt-1.1.8/manage_proj_cat_delete.php:

     32         auth_reauthenticate();
     33 
     34         $f_project_id = gpc_get_int( 'project_id' );
     35         $f_category = gpc_get_string( 'category' );

i.e. instead of $f_category_id from [5], there is $f_category in
corresponding Fedora releases. 

The subsequent code in Fedora is as follows:

     39         # Confirm with the user
     40         helper_ensure_confirmed( lang_get( 'category_delete_sure_msg' ) .
     41                 '<br/>' . lang_get( 'category' ) . ': ' . $f_category,
     42                 lang_get( 'delete_category_button' ) );
     43 
     44         category_remove( $f_project_id, $f_category );

On line 41 $f_category isn't sanitized either =>
discussion:
===========
1, if you think it should, as it may be exploitable, please schedule Fedora
   mantis updates,
2, if you think it is not necessary (it is not exploitable), please provide
   arguments, why do you think so.

Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Comment 2 David Hicks 2010-09-15 00:43:39 UTC
MantisBT 1.2.3 has been released to fix this XSS vulnerabilitiy.

This vulnerability isn't too severe because it requires the malicious user to have project manager permissions (this is typically a position of high trust within a MantisBT environment) to create a maliciously named category. Then a successful attack would require another (target) project manager/administrator to attempt to delete the maliciously named category. However saying that, it is still important to fix even though exploitation would be difficult with MantisBT's use of HttpOnly cookie flags, CSRF tokens and other security features.


Version 1.2.3 release information:

http://sourceforge.net/mailarchive/message.php?msg_name=4C8FC573.3060900%40leetcode.net

http://sourceforge.net/projects/mantisbt/files/

Comment 3 Vincent Danen 2010-09-15 20:18:11 UTC
Created mantis tracking bugs for this issue

Affects: fedora-all [bug 634341]

Comment 4 Gianluca Sforna 2010-12-17 23:46:31 UTC
This is now fixed in all branches