Hi Sils, Thank you for debugging this issue further and discovering the additional problem with form_action_self().
On Mon, 2011-09-05 at 15:14 +0200, sils wrote: > The XSS injection is continued producing, because of the function > "form_action_self". This function is used to generate a form action > value when forms are designed to be submitted to the same url. Agreed, good catch. I just grepped the source code and am troubled to find PHP_SELF used in most of the libraries MantisBT 1.2.x depends upon: JpGraph, NuSOAP and ADOdb. From my experience with these codebases I can almost guarantee they will have issues with PHP_SELF usage. I'll have to take a look at these in the following days to confirm. > This function return: basename($_SERVER['PHP_SELF']); In this case, use of PHP_SELF is not really necessary because we're only after the basename component (view_all_bugs.php, bug_report_page.php, etc). While it's possible that users have setup rewrite rules within their HTTP daemon to remap file names, this is an unlikely scenario and is probably already broken with the use PHP_SELF. > a) remove the form_action_self() from all pages I think this would be hard to achieve because we'd have to change some APIs within MantisBT 1.2.x (potentially breaking plugins) to pass through form names. > b) change the form_action_self() in core/form_api.php This strikes me as being the easiest and safest approach (not breaking anything else) for the 1.2.x branch. I've created and committed a patch [1] that swaps PHP_SELF for SCRIPT_NAME in this function. I've also gone through and applied proper escaping to URLs in the action attribute where we use the return value of form_action_self(). > I hope, this could help, and we wait for your reply, because we don't > want to spare much time with a open CVE issue in the package. Agreed. Thank you very much for your help with these vulnerabilities. Please let me know if I can be on any further assistance. Hopefully we have all the patches needed in the master-1.2.x tree to resolve all known outstanding vulnerabilities. Regards, David [1] https://github.com/mantisbt/mantisbt/commit/e679a1c02978ba1b811959dedc358598fc595458
signature.asc
Description: This is a digitally signed message part
