SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   MantisBT Vendors:   mantisbt.sourceforge.net
MantisBT Input Validation Flaws in '/admin/install.php' and 'manage_user_page.php' Let Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1039030
SecurityTracker URL:  http://securitytracker.com/id/1039030
CVE Reference:   CVE-2017-12061, CVE-2017-12062   (Links to External Site)
Date:  Aug 1 2017
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information

Version(s): prior to versions 1.3.12, 2.5.2, 2.6.0
Description:   Two vulnerabilities were reported in MantisBT. A remote user can conduct cross-site scripting attacks.

The software does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the MantisBT software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The '/admin/install.php' is affected on systems where the 'admin/' folder was not deleted post installation [CVE-2017-12061].

The 'manage_user_page.php' is affected [CVE-2017-12062]. Versions 2.1.0 through 2.5.1 are affected.

aLLy from ONSEC and Tri Chim Tri­ch reported these vulnerabilities.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the MantisBT software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued source code fixes, available at:

https://github.com/mantisbt/mantisbt/commit/17f9b94f031ba93ae2a727bca0e68458ecd08fb0
https://github.com/mantisbt/mantisbt/commit/c73ae3d3d4dd4681489a9e697e8ade785e27cba5
https://github.com/mantisbt/mantisbt/commit/9b5b71dadbeeeec27efea59f562ac5bd6d2673b7

The fixes will be included in pending versions 1.3.12, 2.5.2, and 2.6.0.

Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Tue, 1 Aug 2017 15:22:33 +0200
Subject:  [oss-security] Advisory: XSS issues in MantisBT (CVE-2017-12061, CVE-2017-12062)

Please take note of the following 2 cross-site scripting issues in MantisBT

Best regards
Damien Regad
MantisBT developer


1. CVE-2017-12061: XSS in /admin/install.php script

A cross-site scripting (XSS) vulnerability in the MantisBT
Installation script allows remote attackers to inject arbitrary code
through crafted parameters.

This is only possible if the admin/ folder was not deleted after
installation, as recommended in the MantisBT Admin Guide [1].

Affected versions: 1.3.11 and older, 2.5.1 and older
Fixed in versions: 1.3.12, 2.5.2, 2.6.0 (not yet released*)

Patch:
- 1.3:
https://github.com/mantisbt/mantisbt/commit/17f9b94f031ba93ae2a727bca0e68458ecd08fb0
- 2.x:
https://github.com/mantisbt/mantisbt/commit/c73ae3d3d4dd4681489a9e697e8ade785e27cba5

Credits:
- Reported by aLLy from ONSEC (https://twitter.com/IamSecurity)
- Fixed by Damien Regad (MantisBT Developer)

References:
- MantisBT issue tracker https://mantisbt.org/bugs/view.php?id=23146

[1]
http://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.install.postcommon


2. CVE-2017-12062: XSS in manage_user_page.php

A cross-site scripting (XSS) vulnerability in the MantisBT
Manage User page allows remote attackers to inject arbitrary code (if
CSP settings permit it) through a crafted 'filter' parameter.

Affected versions: 2.1.0 through 2.5.1
Fixed in versions: 2.5.2, 2.6.0 (not yet released*)

Patch:
https://github.com/mantisbt/mantisbt/commit/9b5b71dadbeeeec27efea59f562ac5bd6d2673b7

Credits:
- Reported by TrĂ­ Chim TrĂ­ch (https://twitter.com/trichimtrich)
- Fixed by Roland Becker (MantisBT Developer)

References:
- MantisBT issue tracker http://www.mantisbt.org/bugs/view.php?id=23166


* Releases 1.3.9, 2.1.3, 2.2.3 and 2.3.0 are scheduled for release on
coming week-end




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC