[mantisbt-commits] [mantisbt/mantisbt] 5068df: Fix XSS in custom fields management

[GitHub <no...@gi...>]

  Branch: refs/heads/master-1.2.x
  Home:   https://github.com/mantisbt/mantisbt
  Commit: 5068df2dcf79c34741c746c9b27e0083f2a374da
      https://github.com/mantisbt/mantisbt/commit/5068df2dcf79c34741c746c9b27e0083f2a374da
  Author: Damien Regad <dr...@ma...>
  Date:   2016-06-07 (Tue, 07 Jun 2016)

  Changed paths:
    M account_prefs_update.php
    M manage_config_revert.php
    M manage_custom_field_delete.php
    M manage_custom_field_update.php
    M print_all_bug_options_update.php
    M set_project.php

  Log Message:
  -----------
  Fix XSS in custom fields management

Kacper Szurek (http://security.szurek.pl/) discovered an XSS
vulnerability in Custom fields management pages, caused by unescaped
output of 'return URL' GPC parameter. His report describes two ways to
exploit this issue:

1. using 'accesskey' inside hidden input field (see [1]) reflects XSS to
   the administrator in manage_custom_field_edit_page.php when the
   keyboard shortcut is actioned
2. using 'javascript:' URI scheme executes the code when the user clicks
   the [Proceed] link on manage_custom_field_update.php after updating
   a custom field

This commit fixes both attack vectors:

- properly escape the return URL prior to printing it on the hidden form
  field
- let html_operation_successful() sanitize the URL before displaying
  it, just like html_meta_redirect() does. In this case, if the
  string contains an URI scheme, it will be replaced by 'index.php'

[1] http://blog.portswigger.net/2015/11/xss-in-hidden-input-fields.html

Fixes #20956

This is a backport from master 3f2779b4c6dc8d465fb73c08cfa1d806184d2e79.