Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fix #15373: match_type XSS vulnerability

Jakub Galczyk discovered[1] a cross site scripting (XSS)
vulnerability in MantisBT 1.2.12 and earlier versions that allows a
malicious person to trick the browser of a target user into executing
arbitrary JavaScript via the URL: search.php?match_type="><script...

This vulnerability is particularly wide reaching due to search.php being
usable by anonymous users on public facing installations of MantisBT (no
user account required).

The value of the "match_type" filter parameter is now correctly
sanitised prior to use in the HTML output displaying the current filter
settings.

[1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html
  • Loading branch information...
commit bbc6b4f3ea8d0a53ae8c44e4218df6675a4e5fdf 1 parent 75dd763
David Hicks davidhicks authored
Showing with 1 addition and 1 deletion.
  1. +1 −1  core/filter_api.php
2  core/filter_api.php
View
@@ -3400,7 +3400,7 @@ function <?php echo $t_js_toggle_func;?>() {
echo lang_get ('filter_match_all');
}
?>
- <input type="hidden" name="match_type" value="<?php echo $t_filter[FILTER_PROPERTY_MATCH_TYPE]?>"/>
+ <input type="hidden" name="match_type" value="<?php echo string_attribute( $t_filter[FILTER_PROPERTY_MATCH_TYPE] )?>"/>
</td>
<td colspan="6">&#160;</td>
</tr>
Please sign in to comment.
Something went wrong with that request. Please try again.