View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0027275 | mantisbt | security | public | 2020-09-10 20:12 | 2020-09-25 14:53 |
Reporter | d3vpoo1 | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | Windows | OS | Windows | OS Version | Windows 10 |
Product Version | 2.23.0 | ||||
Target Version | 2.24.3 | Fixed in Version | 2.24.3 | ||
Summary | 0027275: CVE-2020-25288: HTML Injection on bug_update_page.php | ||||
Description | Basically the reason why I come to this product is because of this hackerone report and it seems that you passing CVE so I try to find any issues on this platform. I found out that this old report is also about HTML Injection but the endpoint is different so maybe I should report this issue | ||||
Steps To Reproduce |
EDIT (dregad):
| ||||
Additional Information | None | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
In case you need another PoC |
|
@amphetamine is this duplicate issue ? This seems on different endpoint
EDIT (dregad): removed payload triggering execution of remote script |
|
Thanks for the report. I'll have a look. NOTE: please make sure to submit security issues as Private, to avoid unwanted disclosure and potential exploits before a patch is available. |
|
~0064416 effectively proves that the XSS does work, so the vulnerability is officially confirmed... This one warrants a CVE, please let me know how you would like to be credited. |
|
The XSS is triggered by the input's pattern attribute, Error was introduced in 2.23.0 (see 0025972) - cfdef_input_textbox(). |
|
Updated steps to reproduce |
|
CVE Request 957891 sent. |
|
Hello thanks for the update ! Is it possible to redact some information before setting this to public? |
|
Depends... What do you have in mind ? |
|
CVE-2020-25288 assigned. |
|
@d3vpoo1, please see attached proposed patch, your feedback is welcome. 0001-Fix-XSS-in-Custom-Field-regex-pattern-validation.patch (1,063 bytes)
From 007a02d02b34b3f2c789b2ce6fdfb614536c53f2 Mon Sep 17 00:00:00 2001 From: Damien Regad <dregad@mantisbt.org> Date: Sat, 12 Sep 2020 12:20:49 +0200 Subject: [PATCH] Fix XSS in Custom Field regex pattern validation Improper escaping of the custom field definition's Regular Expression allowed an attacker to inject HTML into the page. Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for the finding. Fixes #27275 --- core/cfdefs/cfdef_standard.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/cfdefs/cfdef_standard.php b/core/cfdefs/cfdef_standard.php index 5653cdf78..039c1c86c 100644 --- a/core/cfdefs/cfdef_standard.php +++ b/core/cfdefs/cfdef_standard.php @@ -467,7 +467,7 @@ function cfdef_input_textbox( array $p_field_def, $p_custom_field_value, $p_requ if( substr( $t_cf_regex, -1 ) != '$' ) { $t_cf_regex .= '.*'; } - echo ' pattern="' . $t_cf_regex . '"'; + echo ' pattern="' . string_attribute( $t_cf_regex ) . '"'; } echo ' value="' . string_attribute( $p_custom_field_value ) .'" />'; } -- 2.25.1 |
|
If possible redact my payload instead of that replace this as Blind XSS payload
I am new to this stuff, is this going to become searchable soon ?
It seems a new validation added, if this |
|
Greetings ! I report an issue about CSRF but until now I get no response, can you check ticket number |
|
I believe I did that already - either removed the payload, and/or marked the posts as private so only MantisBT developers and you can see it.
It will be publicly available when the fix gets merged in our repo and the patched version 2.24.3 is released, some time soon.
I saw that when you reported it. There is no point in pinging me and cross-posting here, it is just annoying. |
|
Understood! Thanks apologize for the cross posting. |
|
@dregad the change in 0027275:0064437 looks good. |
|
MantisBT: master-2.24 221cf323 2020-09-12 02:20 Details Diff |
Fix XSS in Custom Field regex pattern validation Improper escaping of the custom field definition's Regular Expression allowed an attacker to inject HTML into the page (CVE-2020-25288). Credits to d3vpoo1 (https://gitlab.com/jrckmcsb) for the finding. Fixes 0027275 |
Affected Issues 0027275 |
|
mod - core/cfdefs/cfdef_standard.php | Diff File |