Industry Trends

FortiGuard Labs Discloses XSS Vulnerability in MantisBT

By Chris Dawson | October 30, 2015
Overview
MantisBT is an open source issue tracker with nearly 110,000 downloads so far this year from its SourceForge repository. It is known for its ease of use and rapid collaboration capabilities.
 
Researchers with FortiGuard Labs have discovered a cross-site scripting (XSS) vulnerability in MantisBT caused by incorrect handling of a specially-crafted request which contains injected script code. This vulnerability could allow remote attackers to launch XSS attack.
 
Analysis
The attack target can be MantisBT administrator. When the administrator accesses a specialty formed URL with injected script code, the XSS attack can be triggered. When the URL is accessed in a browser, the injected script is executed.
 
In our proof of concept (excluded here as part of our responsible disclosure practices), the value of the parameter 'filter_config_id' contains script code. When this HTTP request is sent to MantisBT by a web browser, MantisBT uses the submitted data to generate a web page and send it back to the web browser. Since MantisBT doesn’t sufficiently sanitize the submitted data, the injected script code is contained in the generated web page and executed in the user’s web browser.
 
This is a typical reflected XSS vulnerability. Theoretically attackers can inject any malicious script code to have it execute on victims’ computers. Note that the exploit against the vulnerability does not require anti-CSRF techniques, so the exploit difficulty is significantly lowered.
 
Mitigation
Users of MantisBT versions 1.2.19 and before should upgrade to the latest version as described in the MantisBT changelog.
 
Networks and users who have deployed Fortinet IPS are automatically protected from this vulnerability by IPS Signature Mantis.adm_config_report.XSS.
 
Thanks to the FortiGuard Labs team for discovering this vulnerability.

Join the Discussion