633003 – (CVE-2010-2574) CVE-2010-2574 Mantis: XSS in Add Category action.

Bug 633003 (CVE-2010-2574) - CVE-2010-2574 Mantis: XSS in Add Category action.

Summary: CVE-2010-2574 Mantis: XSS in Add Category action.

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2010-2574
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	634341
Blocks:
TreeView+	depends on / blocked

Reported:	2010-09-12 12:30 UTC by Jan Lieskovsky
Modified:	2019-09-29 12:39 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-12-17 23:46:31 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jan Lieskovsky 2010-09-12 12:30:17 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2574 to
the following vulnerability:

Cross-site scripting (XSS) vulnerability in manage_proj_cat_add.php in 
MantisBT 1.2.2 allows remote authenticated administrators to inject 
arbitrary web script or HTML via the name parameter in an Add Category 
action.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2574
[2] http://www.securityfocus.com/archive/1/archive/1/512886/100/0/threaded
[3] http://secunia.com/secunia_research/2010-103/
[4] http://secunia.com/advisories/40832

Upstream changeset:
[5] http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff;h=083c34f06ca927b16e781bae3ae324f450c35ea4

Comment 1 Jan Lieskovsky 2010-09-12 12:37:33 UTC

The relevant code part in Mantis package, as shipped with Fedora
release of 12 and 13 is slightly different:

BUILD/mantisbt-1.1.8/manage_proj_cat_delete.php:

     32         auth_reauthenticate();
     33 
     34         $f_project_id = gpc_get_int( 'project_id' );
     35         $f_category = gpc_get_string( 'category' );

i.e. instead of $f_category_id from [5], there is $f_category in
corresponding Fedora releases. 

The subsequent code in Fedora is as follows:

     39         # Confirm with the user
     40         helper_ensure_confirmed( lang_get( 'category_delete_sure_msg' ) .
     41                 '<br/>' . lang_get( 'category' ) . ': ' . $f_category,
     42                 lang_get( 'delete_category_button' ) );
     43 
     44         category_remove( $f_project_id, $f_category );

On line 41 $f_category isn't sanitized either =>
discussion:
===========
1, if you think it should, as it may be exploitable, please schedule Fedora
   mantis updates,
2, if you think it is not necessary (it is not exploitable), please provide
   arguments, why do you think so.

Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Comment 2 David Hicks 2010-09-15 00:43:39 UTC

MantisBT 1.2.3 has been released to fix this XSS vulnerabilitiy.

This vulnerability isn't too severe because it requires the malicious user to have project manager permissions (this is typically a position of high trust within a MantisBT environment) to create a maliciously named category. Then a successful attack would require another (target) project manager/administrator to attempt to delete the maliciously named category. However saying that, it is still important to fix even though exploitation would be difficult with MantisBT's use of HttpOnly cookie flags, CSRF tokens and other security features.


Version 1.2.3 release information:

http://sourceforge.net/mailarchive/message.php?msg_name=4C8FC573.3060900%40leetcode.net

http://sourceforge.net/projects/mantisbt/files/

Comment 3 Vincent Danen 2010-09-15 20:18:11 UTC

Created mantis tracking bugs for this issue

Affects: fedora-all [bug 634341]

Comment 4 Gianluca Sforna 2010-12-17 23:46:31 UTC

This is now fixed in all branches

Note You need to log in before you can comment on or make changes to this bug.