Antonio "s4tan" Parata and Francesco "ascii" Ongaro discovered that mantis 1.1.1 is prone to the XSS attack in return_dynamic_filters.php via filter_target parameter: A) XSS Vulnerabilities We have found an XSS vulnerability in return_dynamic_filters.php. In order to exploit this vulnerability the attacker must be authenticated. Usually the anonymous user is allowed on typical installation, so the impact is a bit higher. The following url is a proof of concept: http://www.example.com/mantis/return_dynamic_filters.php?filter_target= <script>alert(document.cookie);</script> References: http://marc.info/?l=bugtraq&m=121130774617956&w=4 http://www.ush.it/team/ush/hack-mantis111/adv.txt Upstream bug reports (currently restricted): http://www.mantisbt.org/bugs/view.php?id=8974 http://www.mantisbt.org/bugs/view.php?id=8977 Upstream commit in 1.1 SVN branch: http://mantisbt.svn.sourceforge.net/viewvc/mantisbt?view=rev&revision=5116
While looking for the patch for this issue, I've noticed another commit fixing XSS issue in account_sponsor_page.php: http://mantisbt.svn.sourceforge.net/viewvc/mantisbt?view=rev&revision=5135
mantis-1.1.2-1.fc9 has been submitted as an update for Fedora 9
mantis-1.1.2-1.fc8 has been submitted as an update for Fedora 8
mantis-1.1.2-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
mantis-1.1.2-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
CVE-2008-3331: Cross-site scripting (XSS) vulnerability in return_dynamic_filters.php in Mantis before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the filter_target parameter.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6657 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-6647