Fix #15373: match_type XSS vulnerability

davidhicks · davidhicks · commit f5ac454eb63f · 2013-01-18T21:43:21.000+11:00
Jakub Galczyk discovered[1] a cross site scripting (XSS) vulnerability in MantisBT 1.2.12 and earlier versions that allows a malicious person to trick the browser of a target user into executing arbitrary JavaScript via the URL: search.php?match_type="><script... This vulnerability is particularly wide reaching due to search.php being usable by anonymous users on public facing installations of MantisBT (no user account required). The value of the "match_type" filter parameter is now correctly sanitised prior to use in the HTML output displaying the current filter settings. [1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html
diff --git a/core/filter_api.php b/core/filter_api.php
@@ -3395,7 +3395,7 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e
 					echo lang_get ('filter_match_all');
 				}
 			?>
-			<input type="hidden" name="match_type" value="<?php echo $t_filter[FILTER_PROPERTY_MATCH_TYPE]?>"/>
+			<input type="hidden" name="match_type" value="<?php echo string_attribute( $t_filter[FILTER_PROPERTY_MATCH_TYPE] )?>"/>
 			</td>
 			<td colspan="6">&#160;</td>
 		</tr>		

Original file line number	Diff line number	Diff line change
`@@ -3395,7 +3395,7 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e`
`3395`	`3395`	`echo lang_get ('filter_match_all');`
`3396`	`3396`	`}`
`3397`	`3397`	`?>`
`3398`		`- <input type="hidden" name="match_type" value="<?php echo $t_filter[FILTER_PROPERTY_MATCH_TYPE]?>"/>`
	`3398`	`+ <input type="hidden" name="match_type" value="<?php echo string_attribute( $t_filter[FILTER_PROPERTY_MATCH_TYPE] )?>"/>`
`3399`	`3399`	`</td>`
`3400`	`3400`	`<td colspan="6"> </td>`
`3401`	`3401`	`</tr>`