Hi David, Thanks a lot for the extended report about these issues [1] on debian BTS.
I took a look at code on github for the needed changes, I test them on 1.2.7 (which we are working on, instead of 1.2.6-1, which it would be replace with 1.2.7). I create the patches from the minimum required code to resolve these issues, and they were applied cleanly. But the bugs were not fixed at all. 1) XSS injection via PHP_SELF ([2],[3]) The problem, sure, is related with PHP_SELF, but this patch [3] just fix the setup/control of global variable $g_path. And do not solved the problem in 1.2.6 or 1.2.7. The XSS injection is continued producing, because of the function "form_action_self". This function is used to generate a form action value when forms are designed to be submitted to the same url. core/form_api.php:function form_action_self() This function affected to other functions as: helper_ensure_confirmed() auth_reauthenticate() This function return: basename($_SERVER['PHP_SELF']); In 1.2.7 release (1.2.6 too), this function is applied on this source: core/authentication_api.php core/helper_api.php billing_inc.php bugnote_stats_inc.php manage_config_email_page.php manage_config_workflow_page.php manage_config_work_threshold_page.php Then, all the pages which includes this function on 1.2.6/1.2.7 version will be vulnerable. I noticed, taking a look on github, that in master branch this function had been deprecated (removed) from source code. I could create a patch to solved this issue, but which one would be the best solution? a) remove the form_action_self() from all pages b) change the form_action_self() in core/form_api.php I don't know if we remove form_action_self() from all pages, would have other implications or will crash something around the code. I just compare 1.2.8 branch in github and I realized about it was removed. I hope, this could help, and we wait for your reply, because we don't want to spare much time with a open CVE issue in the package. I offer me self to create this patch, don't worry about this, but I need to know the implications or which is the best option. Thanks a lot for your help. Regards, Sils [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640297 [2] http://www.mantisbt.org/bugs/view.php?id=13191 [3] https://github.com/mantisbt/mantisbt/commit/d00745f5e267eba4ca34286d125de685bc3a8034
signature.asc
Description: OpenPGP digital signature
