Fix #15373: match_type XSS vulnerability

davidhicks · davidhicks · commit bbc6b4f3ea8d · 2013-01-18T22:20:02.000+11:00
Jakub Galczyk discovered[1] a cross site scripting (XSS) vulnerability in MantisBT 1.2.12 and earlier versions that allows a malicious person to trick the browser of a target user into executing arbitrary JavaScript via the URL: search.php?match_type="><script... This vulnerability is particularly wide reaching due to search.php being usable by anonymous users on public facing installations of MantisBT (no user account required). The value of the "match_type" filter parameter is now correctly sanitised prior to use in the HTML output displaying the current filter settings. [1] http://hauntit.blogspot.de/2013/01/en-mantis-bug-tracker-1212-persistent.html
diff --git a/core/filter_api.php b/core/filter_api.php
@@ -3400,7 +3400,7 @@ function <?php echo $t_js_toggle_func;?>() {
 					echo lang_get ('filter_match_all');
 				}
 			?>
-			<input type="hidden" name="match_type" value="<?php echo $t_filter[FILTER_PROPERTY_MATCH_TYPE]?>"/>
+			<input type="hidden" name="match_type" value="<?php echo string_attribute( $t_filter[FILTER_PROPERTY_MATCH_TYPE] )?>"/>
 			</td>
 			<td colspan="6">&#160;</td>
 		</tr>

Original file line number	Diff line number	Diff line change
`@@ -3400,7 +3400,7 @@ function <?php echo $t_js_toggle_func;?>() {`
`3400`	`3400`	`echo lang_get ('filter_match_all');`
`3401`	`3401`	`}`
`3402`	`3402`	`?>`
`3403`		`- <input type="hidden" name="match_type" value="<?php echo $t_filter[FILTER_PROPERTY_MATCH_TYPE]?>"/>`
	`3403`	`+ <input type="hidden" name="match_type" value="<?php echo string_attribute( $t_filter[FILTER_PROPERTY_MATCH_TYPE] )?>"/>`
`3404`	`3404`	`</td>`
`3405`	`3405`	`<td colspan="6"> </td>`
`3406`	`3406`	`</tr>`