Red Hat Bugzilla – Bug 633003
CVE-2010-2574 Mantis: XSS in Add Category action.
Last modified: 2016-03-04 07:44:03 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2574 to
the following vulnerability:
Cross-site scripting (XSS) vulnerability in manage_proj_cat_add.php in
MantisBT 1.2.2 allows remote authenticated administrators to inject
arbitrary web script or HTML via the name parameter in an Add Category
The relevant code part in Mantis package, as shipped with Fedora
release of 12 and 13 is slightly different:
34 $f_project_id = gpc_get_int( 'project_id' );
35 $f_category = gpc_get_string( 'category' );
i.e. instead of $f_category_id from , there is $f_category in
corresponding Fedora releases.
The subsequent code in Fedora is as follows:
39 # Confirm with the user
40 helper_ensure_confirmed( lang_get( 'category_delete_sure_msg' ) .
41 '<br/>' . lang_get( 'category' ) . ': ' . $f_category,
42 lang_get( 'delete_category_button' ) );
44 category_remove( $f_project_id, $f_category );
On line 41 $f_category isn't sanitized either =>
1, if you think it should, as it may be exploitable, please schedule Fedora
2, if you think it is not necessary (it is not exploitable), please provide
arguments, why do you think so.
Jan iankko Lieskovsky / Red Hat Security Response Team
MantisBT 1.2.3 has been released to fix this XSS vulnerabilitiy.
This vulnerability isn't too severe because it requires the malicious user to have project manager permissions (this is typically a position of high trust within a MantisBT environment) to create a maliciously named category. Then a successful attack would require another (target) project manager/administrator to attempt to delete the maliciously named category. However saying that, it is still important to fix even though exploitation would be difficult with MantisBT's use of HttpOnly cookie flags, CSRF tokens and other security features.
Version 1.2.3 release information:
Created mantis tracking bugs for this issue
Affects: fedora-all [bug 634341]
This is now fixed in all branches