984334 – (CVE-2016-5364) VUL-0: CVE-2016-5364: mantis: unescaped output of 'return URL' GPC parameter

Bug 984334 (CVE-2016-5364) - VUL-0: CVE-2016-5364: mantis: unescaped output of 'return URL' GPC parameter

Summary: VUL-0: CVE-2016-5364: mantis: unescaped output of 'return URL' GPC parameter

Status:	RESOLVED FIXED

Alias:	CVE-2016-5364

Product:	openSUSE.org
Classification:	openSUSE
Component:	3rd party software (show other bugs)
Version:	unspecified
Hardware:	Other openSUSE 42.1

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assignee:	Andreas Stieger
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-06-12 15:53 UTC by Andreas Stieger
Modified:	2016-07-12 17:57 UTC (History)
CC List:	0 users

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2016-06-12 15:53:21 UTC

http://seclists.org/oss-sec/2016/q2/527

unescaped output of 'return URL' GPC parameter

https://mantisbt.org/bugs/view.php?id=20956
https://github.com/mantisbt/mantisbt/commit/5068df2dcf79c34741c746c9b27e0083f2a374da
https://github.com/mantisbt/mantisbt/commit/11ab3d6c82a1d3a89b1024f77349fb60a83743c5


As far as we can tell, this is best interpreted as a single XSS
vulnerability, even though:

  - "Also `print_bracket_link()` function doesn't check if link is
     `data:` or `javascript:`" is a separate observation

  - the number of .php files changed in 1.2.x is different from the
    number of .php files changed in 1.3.x

Use CVE-2016-5364.

Comment 1 Swamp Workflow Management 2016-06-12 22:00:14 UTC

bugbot adjusting priority

Comment 2 Andreas Stieger 2016-07-12 17:29:16 UTC

That and more in https://www.mantisbt.org/blog/?p=440

Security

    CVE-2016-5364: Reflected XSS inside manage_custom_field_edit_page.php – #20956
    Cannot change password in second enter to verification page – #6009
    bugnote actions in view bug page should send data as POST – #20141
    CVE-2014-9759: SOAP API can be used to disclose confidential settings – #20277
    CVE-2014-9572: Improper Access Control in install.php – #19273
    CVE-2014-9571: XSS in install.php – #19274
    CVE-2015-1042: URL redirection issue – #19275
    CVE-2014-9573: SQL Injection in manage_user_page.php – #19277
    PHP remote code execution in install.php – #12908
    CVE-2014-9701: XSS vulnerability in permalink_page.php – #19504
    Registrations by bots via captcha exploit – #10028
    Support Content-Security-Policy (CSP) per W3C specification – #14679
    install.php: do not send the value of crypto_master_salt over http – #17382
    Redirect user to change password if logged in with default admin password – #16477
    plugins directory must be secured/fixed – #14538
    Provide additional random number generators – #17381
    IIS: add web.config to deny access to config folder – #17380
    allow_reporter_reopen lets reporter make any update, not just reopen – #11804
    Add support for Strict-Transport-Security header – #12881
    Improve random number generation with openssl_random_pseudo_bytes – #10730
    Do not allow to send a reminder on a private issue to users under threshold – #11981
    Remove input side XSS validation of user real names – #12368
    When user reports an issue, the unpermitted project can be selected – #16024
    Remove all inline JavaScript from MantisBT (use external scripts instead) – #11826

Comment 3 Andreas Stieger 2016-07-12 17:57:48 UTC

https://build.opensuse.org/request/show/407934