Mantis team fixes dangerous reflected XSS flaw

Oct 31, 2015 09:29 GMT  ·  By

A cross-site scripting (XSS) flaw in the Mantis BT bug tracker (or Mantis) is putting unsolved security holes at risk of unwanted disclosure.

The issue reported by Fortinet's FortiGuard Labs is similar to the situation that occurred in early September, when a hacker managed to break into Mozilla's bug tracker (Bugzilla) and stole secret information about unresolved Firefox zero-day bugs.

Many believe this information was used to create exploits that leveraged unresolved Firefox issues and infected thousands of users with malware.

While Mantis may not have the media visibility of the Bugzilla tracker that's sponsored by Mozilla, the project has been extremely popular for many years, both in the open source and enterprise market.

Mantis admin users are targeted by this XSS vulnerability

The problem lies in the adm_config_report.php that processes the filter_config_id parameter. Attackers can attach malicious code to this parameter, which is not properly sanitized inside the file. This leads to a simple reflected XSS.

If an admin user is tricked into accessing a malformed link, the attacker, by putting together a few other exploit techniques, could even leak browser cookies and session data, using the XSS attack as their entry point. This data can then lead to a more serious compromise of the application's data.

The scenario is not as far-fetched since a user reporting bugs has the capability of inserting links in the description, which can be masked to some degree with HTML code. An example would be:

code
< a href = "malicious code">screenshot of bug i'm reporting< / a >
Such situations lower awareness and open the door for exploits.

As Fortinet researchers are explaining, "the exploit against the vulnerability [in Mantis] does not require anti-CSRF techniques, so the exploit difficulty is significantly lowered."

This XSS bug affects all users of Mantis 1.2.19 and earlier. The Mantis team issued a fix for this problem with the release of Mantis 1.3.0.beta.3.