Bug 448404 - (CVE-2008-3331) CVE-2008-3331 mantis: XSS in return_dynamic_filters.php
CVE-2008-3331 mantis: XSS in return_dynamic_filters.php
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=bugtraq,reported=20080520,publ...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-26 11:06 EDT by Tomas Hoger
Modified: 2016-03-04 06:44 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-28 04:55:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-05-26 11:06:02 EDT
Antonio "s4tan" Parata and Francesco "ascii" Ongaro discovered that mantis 1.1.1
is prone to the XSS attack in return_dynamic_filters.php via filter_target
parameter:

  A) XSS Vulnerabilities

  We have found an XSS vulnerability in return_dynamic_filters.php. In
  order to exploit this vulnerability the attacker must be authenticated.
  Usually the anonymous user is allowed on typical installation, so the
  impact is a bit higher. The following url is a proof of concept:

  http://www.example.com/mantis/return_dynamic_filters.php?filter_target=
  <script>alert(document.cookie);</script>

References:
http://marc.info/?l=bugtraq&m=121130774617956&w=4
http://www.ush.it/team/ush/hack-mantis111/adv.txt

Upstream bug reports (currently restricted):
http://www.mantisbt.org/bugs/view.php?id=8974
http://www.mantisbt.org/bugs/view.php?id=8977

Upstream commit in 1.1 SVN branch:
http://mantisbt.svn.sourceforge.net/viewvc/mantisbt?view=rev&revision=5116
Comment 1 Tomas Hoger 2008-05-26 11:15:42 EDT
While looking for the patch for this issue, I've noticed another commit fixing
XSS issue in account_sponsor_page.php:

http://mantisbt.svn.sourceforge.net/viewvc/mantisbt?view=rev&revision=5135
Comment 2 Fedora Update System 2008-07-19 18:10:54 EDT
mantis-1.1.2-1.fc9 has been submitted as an update for Fedora 9
Comment 3 Fedora Update System 2008-07-19 18:14:37 EDT
mantis-1.1.2-1.fc8 has been submitted as an update for Fedora 8
Comment 4 Fedora Update System 2008-07-23 03:20:10 EDT
mantis-1.1.2-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2008-07-23 03:21:40 EDT
mantis-1.1.2-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Tomas Hoger 2008-07-28 04:53:55 EDT
CVE-2008-3331:
Cross-site scripting (XSS) vulnerability in return_dynamic_filters.php
in Mantis before 1.1.2 allows remote attackers to inject arbitrary web
script or HTML via the filter_target parameter.
Comment 7 Red Hat Product Security 2008-07-28 04:55:20 EDT
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6657
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-6647


Note You need to log in before you can comment on or make changes to this bug.