Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2013-0197 mantis: Persistent XSS due improper sanitization of the match_type variable|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||NEW ---||QA Contact:|
|Version:||unspecified||CC:||extras-orphan, giallu, sven|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||902331|
Description Jan Lieskovsky 2013-01-21 06:18:31 EST
A persistent cross-site scripting (XSS) flaw was found in the way Mantis, a web-based issue tracking system, performed sanitization of the 'match_type' parameter. A remote attacker could provide a specially-crafted URL that, when processed by Mantis instance, would lead to arbitrary web script or HTML execution. References:  http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html Upstream bug report:  http://www.mantisbt.org/bugs/view.php?id=15373 Relevant patches (against 1.2.2 branch):  https://github.com/mantisbt/mantisbt/commit/bbc6b4f3ea8d0a53ae8c44e4218df6675a4e5fdf  https://github.com/mantisbt/mantisbt/commit/610da6ecda08239187bc12bf9bf35ba4d27f1920 Other references:  http://www.openwall.com/lists/oss-security/2013/01/18/1  http://www.openwall.com/lists/oss-security/2013/01/18/8
Comment 1 Jan Lieskovsky 2013-01-21 06:24:11 EST
This issue affects the versions of the mantis package, as shipped with Fedora release of 16, 17, and 18. Please schedule an update. -- This issue did NOT affect the version of the mantis package, as shipped with Fedora EPEL 5.
Comment 2 Jan Lieskovsky 2013-01-21 06:51:53 EST
Created mantis tracking bugs for this issue Affects: fedora-all [bug 902331]
Comment 3 Jan Lieskovsky 2013-01-21 07:06:44 EST
Updated post from Damien Regad regarding this issue on OSS list (didn't reach the list yet. Please have a look at further details below): Kurt Seifried <kseifried@...> writes: > Please use CVE-2013-0197 for this issue. Hi Kurt, Thanks for creating the CVE; please take note of a small rectification on the original issue report: David Hicks <d <at> hx.id.au> writes: > Jakub Galczyk discovered a cross site scripting (XSS) > vulnerability in *MantisBT 1.2.12 and earlier versions* This affects *only MantisBT version 1.2.12* (and the 'master' development branch after 15-Sep-2012), as earlier versions did not contain the commit introducing the 'match type' filtering feature . It's also worth mentioning that a better patch for the vulnerability is available under follow-up issue #15388  Damien Regad MantisBT developer  1.2.x branch: https://github.com/mantisbt/mantisbt/commit/5b491868 master branch: https://github.com/mantisbt/mantisbt/commit/6c6c3d72  http://www.mantisbt.org/bugs/view.php?id=15388
Comment 4 Fedora Update System 2013-03-31 23:26:11 EDT
mantis-1.2.14-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2013-03-31 23:32:25 EDT
mantis-1.2.14-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.