Bug 633003 - (CVE-2010-2574) CVE-2010-2574 Mantis: XSS in Add Category action.
CVE-2010-2574 Mantis: XSS in Add Category action.
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
public=20100805,reported=20100903,sou...
: Security
Depends On: 634341
Blocks:
  Show dependency treegraph
 
Reported: 2010-09-12 08:30 EDT by Jan Lieskovsky
Modified: 2016-03-04 07:44 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-17 18:46:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-09-12 08:30:17 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2574 to
the following vulnerability:

Cross-site scripting (XSS) vulnerability in manage_proj_cat_add.php in 
MantisBT 1.2.2 allows remote authenticated administrators to inject 
arbitrary web script or HTML via the name parameter in an Add Category 
action.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2574
[2] http://www.securityfocus.com/archive/1/archive/1/512886/100/0/threaded
[3] http://secunia.com/secunia_research/2010-103/
[4] http://secunia.com/advisories/40832

Upstream changeset:
[5] http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff;h=083c34f06ca927b16e781bae3ae324f450c35ea4
Comment 1 Jan Lieskovsky 2010-09-12 08:37:33 EDT
The relevant code part in Mantis package, as shipped with Fedora
release of 12 and 13 is slightly different:

BUILD/mantisbt-1.1.8/manage_proj_cat_delete.php:

     32         auth_reauthenticate();
     33 
     34         $f_project_id = gpc_get_int( 'project_id' );
     35         $f_category = gpc_get_string( 'category' );

i.e. instead of $f_category_id from [5], there is $f_category in
corresponding Fedora releases. 

The subsequent code in Fedora is as follows:

     39         # Confirm with the user
     40         helper_ensure_confirmed( lang_get( 'category_delete_sure_msg' ) .
     41                 '<br/>' . lang_get( 'category' ) . ': ' . $f_category,
     42                 lang_get( 'delete_category_button' ) );
     43 
     44         category_remove( $f_project_id, $f_category );

On line 41 $f_category isn't sanitized either =>
discussion:
===========
1, if you think it should, as it may be exploitable, please schedule Fedora
   mantis updates,
2, if you think it is not necessary (it is not exploitable), please provide
   arguments, why do you think so.

Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 2 David Hicks 2010-09-14 20:43:39 EDT
MantisBT 1.2.3 has been released to fix this XSS vulnerabilitiy.

This vulnerability isn't too severe because it requires the malicious user to have project manager permissions (this is typically a position of high trust within a MantisBT environment) to create a maliciously named category. Then a successful attack would require another (target) project manager/administrator to attempt to delete the maliciously named category. However saying that, it is still important to fix even though exploitation would be difficult with MantisBT's use of HttpOnly cookie flags, CSRF tokens and other security features.


Version 1.2.3 release information:

http://sourceforge.net/mailarchive/message.php?msg_name=4C8FC573.3060900%40leetcode.net

http://sourceforge.net/projects/mantisbt/files/
Comment 3 Vincent Danen 2010-09-15 16:18:11 EDT
Created mantis tracking bugs for this issue

Affects: fedora-all [bug 634341]
Comment 4 Gianluca Sforna 2010-12-17 18:46:31 EST
This is now fixed in all branches

Note You need to log in before you can comment on or make changes to this bug.