Bug 902315 (CVE-2013-0197)

Summary: CVE-2013-0197 mantis: Persistent XSS due improper sanitization of the match_type variable
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: extras-orphan, giallu, sven
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20130115,reported=20130118,source=oss-security,cvss2=5.0/AV:N/AC:L/Au:N/C:N/I:P/A:N,fedora-all/mantis=affected,epel-5/mantis=notaffected,cwe=CWE-79[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 902331    
Bug Blocks:    

Description Jan Lieskovsky 2013-01-21 06:18:31 EST
A persistent cross-site scripting (XSS) flaw was found in the way Mantis, a web-based issue tracking system, performed sanitization of the 'match_type' parameter. A remote attacker could provide a specially-crafted URL that, when processed by Mantis instance, would lead to arbitrary web script or HTML execution.

References:
[1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html

Upstream bug report:
[2] http://www.mantisbt.org/bugs/view.php?id=15373

Relevant patches (against 1.2.2 branch):
[3] https://github.com/mantisbt/mantisbt/commit/bbc6b4f3ea8d0a53ae8c44e4218df6675a4e5fdf
[4] https://github.com/mantisbt/mantisbt/commit/610da6ecda08239187bc12bf9bf35ba4d27f1920

Other references:
[5] http://www.openwall.com/lists/oss-security/2013/01/18/1
[6] http://www.openwall.com/lists/oss-security/2013/01/18/8
Comment 1 Jan Lieskovsky 2013-01-21 06:24:11 EST
This issue affects the versions of the mantis package, as shipped with Fedora release of 16, 17, and 18. Please schedule an update.

--

This issue did NOT affect the version of the mantis package, as shipped with Fedora EPEL 5.
Comment 2 Jan Lieskovsky 2013-01-21 06:51:53 EST
Created mantis tracking bugs for this issue

Affects: fedora-all [bug 902331]
Comment 3 Jan Lieskovsky 2013-01-21 07:06:44 EST
Updated post from Damien Regad regarding this issue on OSS list (didn't reach the list yet. Please have a look at further details below):

Kurt Seifried <kseifried@...> writes:
> Please use CVE-2013-0197 for this issue.

Hi Kurt,

Thanks for creating the CVE; please take note of a small rectification on the
original issue report:

David Hicks <d <at> hx.id.au> writes:
> Jakub Galczyk discovered[1][2] a cross site scripting (XSS)
> vulnerability in *MantisBT 1.2.12 and earlier versions*

This affects *only MantisBT version 1.2.12* (and the 'master'
development branch after 15-Sep-2012), as earlier versions did not contain the
commit introducing the 'match type' filtering feature [1].

It's also worth mentioning that a better patch for the vulnerability is
available under follow-up issue #15388 [2]

Damien Regad
MantisBT developer

[1] 1.2.x branch:  https://github.com/mantisbt/mantisbt/commit/5b491868
    master branch: https://github.com/mantisbt/mantisbt/commit/6c6c3d72
[2] http://www.mantisbt.org/bugs/view.php?id=15388
Comment 4 Fedora Update System 2013-03-31 23:26:11 EDT
mantis-1.2.14-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2013-03-31 23:32:25 EDT
mantis-1.2.14-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.