Skip to content
Browse files

Fix #15373: match_type XSS vulnerability

Jakub Galczyk discovered[1] a cross site scripting (XSS)
vulnerability in MantisBT 1.2.12 and earlier versions that allows a
malicious person to trick the browser of a target user into executing
arbitrary JavaScript via the URL: search.php?match_type="><script...

This vulnerability is particularly wide reaching due to search.php being
usable by anonymous users on public facing installations of MantisBT (no
user account required).

The value of the "match_type" filter parameter is now correctly
sanitised prior to use in the HTML output displaying the current filter
settings.

[1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html
  • Loading branch information...
1 parent 8414dc7 commit f5ac454eb63fde102347a021a2af0c535033d572 @davidhicks davidhicks committed Jan 18, 2013
Showing with 1 addition and 1 deletion.
  1. +1 −1 core/filter_api.php
View
2 core/filter_api.php
@@ -3395,7 +3395,7 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e
echo lang_get ('filter_match_all');
}
?>
- <input type="hidden" name="match_type" value="<?php echo $t_filter[FILTER_PROPERTY_MATCH_TYPE]?>"/>
+ <input type="hidden" name="match_type" value="<?php echo string_attribute( $t_filter[FILTER_PROPERTY_MATCH_TYPE] )?>"/>
</td>
<td colspan="6">&#160;</td>
</tr>

0 comments on commit f5ac454

Please sign in to comment.
Something went wrong with that request. Please try again.