Browse files

Fix #15373: match_type XSS vulnerability

Jakub Galczyk discovered[1] a cross site scripting (XSS)
vulnerability in MantisBT 1.2.12 and earlier versions that allows a
malicious person to trick the browser of a target user into executing
arbitrary JavaScript via the URL: search.php?match_type="><script...

This vulnerability is particularly wide reaching due to search.php being
usable by anonymous users on public facing installations of MantisBT (no
user account required).

The value of the "match_type" filter parameter is now correctly
sanitised prior to use in the HTML output displaying the current filter
settings.

[1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html
  • Loading branch information...
1 parent 75dd763 commit bbc6b4f3ea8d0a53ae8c44e4218df6675a4e5fdf @davidhicks davidhicks committed Jan 18, 2013
Showing with 1 addition and 1 deletion.
  1. +1 −1 core/filter_api.php
View
2 core/filter_api.php
@@ -3400,7 +3400,7 @@ function <?php echo $t_js_toggle_func;?>() {
echo lang_get ('filter_match_all');
}
?>
- <input type="hidden" name="match_type" value="<?php echo $t_filter[FILTER_PROPERTY_MATCH_TYPE]?>"/>
+ <input type="hidden" name="match_type" value="<?php echo string_attribute( $t_filter[FILTER_PROPERTY_MATCH_TYPE] )?>"/>
</td>
<td colspan="6">&#160;</td>
</tr>

0 comments on commit bbc6b4f

Please sign in to comment.