Bug 448404 (CVE-2008-3331) - CVE-2008-3331 mantis: XSS in return_dynamic_filters.php
Summary: CVE-2008-3331 mantis: XSS in return_dynamic_filters.php
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-3331
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-26 15:06 UTC by Tomas Hoger
Modified: 2019-09-29 12:24 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-28 08:55:20 UTC
Embargoed:


Attachments (Terms of Use)

Description Tomas Hoger 2008-05-26 15:06:02 UTC
Antonio "s4tan" Parata and Francesco "ascii" Ongaro discovered that mantis 1.1.1
is prone to the XSS attack in return_dynamic_filters.php via filter_target
parameter:

  A) XSS Vulnerabilities

  We have found an XSS vulnerability in return_dynamic_filters.php. In
  order to exploit this vulnerability the attacker must be authenticated.
  Usually the anonymous user is allowed on typical installation, so the
  impact is a bit higher. The following url is a proof of concept:

  http://www.example.com/mantis/return_dynamic_filters.php?filter_target=
  <script>alert(document.cookie);</script>

References:
http://marc.info/?l=bugtraq&m=121130774617956&w=4
http://www.ush.it/team/ush/hack-mantis111/adv.txt

Upstream bug reports (currently restricted):
http://www.mantisbt.org/bugs/view.php?id=8974
http://www.mantisbt.org/bugs/view.php?id=8977

Upstream commit in 1.1 SVN branch:
http://mantisbt.svn.sourceforge.net/viewvc/mantisbt?view=rev&revision=5116

Comment 1 Tomas Hoger 2008-05-26 15:15:42 UTC
While looking for the patch for this issue, I've noticed another commit fixing
XSS issue in account_sponsor_page.php:

http://mantisbt.svn.sourceforge.net/viewvc/mantisbt?view=rev&revision=5135

Comment 2 Fedora Update System 2008-07-19 22:10:54 UTC
mantis-1.1.2-1.fc9 has been submitted as an update for Fedora 9

Comment 3 Fedora Update System 2008-07-19 22:14:37 UTC
mantis-1.1.2-1.fc8 has been submitted as an update for Fedora 8

Comment 4 Fedora Update System 2008-07-23 07:20:10 UTC
mantis-1.1.2-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2008-07-23 07:21:40 UTC
mantis-1.1.2-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Tomas Hoger 2008-07-28 08:53:55 UTC
CVE-2008-3331:
Cross-site scripting (XSS) vulnerability in return_dynamic_filters.php
in Mantis before 1.1.2 allows remote attackers to inject arbitrary web
script or HTML via the filter_target parameter.

Comment 7 Red Hat Product Security 2008-07-28 08:55:20 UTC
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6657
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-6647




Note You need to log in before you can comment on or make changes to this bug.