Tuesday, 2009-12-01

« Monday, 2009-11-30 Index Wednesday, 2009-12-02 »
../irclogs/#mantishelp.2009-12-01.log
--- scribe started ---00:00
CIA-21Mantisbt: hickseydr * r70b5022f556c / (4 files in 2 dirs): Fix #11229: Fix tagging XSS scripting vulnerabilities01:02
CIA-21Mantisbt: hickseydr master-1.2.x * rd36359cf13c4 / (4 files in 2 dirs): Fix #11229: Fix tagging XSS scripting vulnerabilities01:03
CIA-21Mantisbt: hickseydr master-1.1.x * rc6f356da55f3 / (4 files in 2 dirs): Fix #11229: Fix tagging XSS scripting vulnerabilities01:31
CIA-21Mantisbt: hickseydr * rb1bc26eb0786 /manage_tags_page.php: Fix #11235: XSS on manage_tags_page.php with user Real Name field05:56
CIA-21Mantisbt: hickseydr * r810ae0795530 /core/summary_api.php: Fix #11232: XSS on summary_page.php with user Real Name field05:56
CIA-21Mantisbt: hickseydr * ra49cc3cefbab /adm_config_report.php: Fix #11233: XSS on adm_config_report.php with user Real Name field05:56
CIA-21Mantisbt: hickseydr * rbb920bf5b45b /core/filter_api.php: Fix #11236: XSS on view_all_bug_page.php with user Real Name field05:56
CIA-21Mantisbt: hickseydr * r01270e48f13e /tag_view_page.php: Fix #11237: XSS on tag_view_page.php with user Real Name field05:56
CIA-21Mantisbt: hickseydr * r93f36d260294 /tag_update_page.php: Fix #11238: XSS on tag_update_page.php with user Real Name field05:56
CIA-21Mantisbt: hickseydr master-1.2.x * r42e3640a6b79 /manage_tags_page.php: Fix #11235: XSS on manage_tags_page.php with user Real Name field06:02
CIA-21Mantisbt: hickseydr master-1.2.x * r92561bce73a6 /adm_config_report.php: Fix #11233: XSS on adm_config_report.php with user Real Name field06:02
CIA-21Mantisbt: hickseydr master-1.2.x * r8491dbdf5dff /tag_view_page.php: Fix #11237: XSS on tag_view_page.php with user Real Name field06:02
CIA-21Mantisbt: hickseydr master-1.2.x * rc23edbfb97b1 /core/summary_api.php: Fix #11232: XSS on summary_page.php with user Real Name field06:02
CIA-21Mantisbt: hickseydr master-1.2.x * r4cb58c70b8b3 /core/filter_api.php: Fix #11236: XSS on view_all_bug_page.php with user Real Name field06:02
CIA-21Mantisbt: hickseydr master-1.2.x * rb1f59933bdd8 /tag_update_page.php: Fix #11238: XSS on tag_update_page.php with user Real Name field06:02
CIA-21Mantisbt: hickseydr * r15b0752ae834 /view_user_page.php: Fix #11239: XSS on view_user_page.php with user Real Name field06:11
CIA-21Mantisbt: hickseydr master-1.2.x * r67ed4313c071 /view_user_page.php: Fix #11239: XSS on view_user_page.php with user Real Name field06:11
CIA-21Mantisbt: hickseydr * r71ade607240f /bug_revision_view_page.php: Fix #11240: XSS on bug_revision_view_page.php with user Real Name field06:18
CIA-21Mantisbt: hickseydr master-1.2.x * r194099694d91 /bug_revision_view_page.php: Fix #11240: XSS on bug_revision_view_page.php with user Real Name field06:18
CIA-21Mantisbt: hickseydr * r0aeb2ea2895d /manage_proj_page.php: Fix #11241: XSS on manage_proj_page.php with user Real Name field06:28
CIA-21Mantisbt: hickseydr master-1.2.x * ree7ee6d4f699 /manage_proj_page.php: Fix #11241: XSS on manage_proj_page.php with user Real Name field06:28
CIA-21Mantisbt: hickseydr * ra77662d5823e /manage_proj_edit_page.php: Fix #11242: XSS on manage_proj_edit_page.php with user Real Name field06:35
CIA-21Mantisbt: hickseydr master-1.2.x * r868c1d6cbddc /manage_proj_edit_page.php: Fix #11242: XSS on manage_proj_edit_page.php with user Real Name field06:35
CIA-21Mantisbt: hickseydr * r0789144e6059 /account_update.php: Fix #11234: Validate user name and email on account_page.php06:44
CIA-21Mantisbt: hickseydr master-1.2.x * r9c0f46d6e40f /account_update.php: Fix #11234: Validate user name and email on account_page.php06:44
CIA-21Mantisbt: hickseydr * rbe4dbbf81019 /core/ (columns_api.php custom_function_api.php): Fix #11243: XSS on view_all_bug_page.php due to bad sanitising defaults07:31
CIA-21Mantisbt: hickseydr master-1.2.x * rb66d1b040106 /core/ (columns_api.php custom_function_api.php): Fix #11243: XSS on view_all_bug_page.php due to bad sanitising defaults07:31
CIA-21Mantisbt: hickseydr * r96ab63b6323f / (3 files in 2 dirs): Fix #11244: XSS on change log and roadmap pages (project names)07:47
CIA-21Mantisbt: hickseydr master-1.2.x * rdf0a5af45f4a / (3 files in 2 dirs): Fix #11244: XSS on change log and roadmap pages (project names)07:47
CIA-21Mantisbt: hickseydr master-1.2.x * rb4b275a5ea3b /core/columns_api.php: Fix #11245: Sanitise project name in print_column_category_id()08:25
CIA-21Mantisbt: hickseydr * r141cbe6e8667 /core/columns_api.php: Fix #11245: Sanitise project name in print_column_category_id()08:25
CIA-21Mantisbt: hickseydr * r98f63cf5d7f1 /core/print_api.php: Fix #11246: XSS bug in category dropdown selector09:34
CIA-21Mantisbt: hickseydr master-1.2.x * rccae795a7cc2 /core/print_api.php: Fix #11246: XSS bug in category dropdown selector09:34
CIA-21Mantisbt: hickseydr * r403cd6c13195 / (adm_config_report.php core/print_api.php): Fix #11247: XSS in various management pages (project names)09:50
CIA-21Mantisbt: hickseydr master-1.2.x * rd55a7f24e72e / (adm_config_report.php core/print_api.php): Fix #11247: XSS in various management pages (project names)09:50
dhx_mshould be rock solid now :D09:52
kirillkadhx_m: hi10:13
dhx_mkirillka: hi10:13
kirillkaI see you don't sleep :) Only works10:13
dhx_mlol10:13
CIA-21Mantisbt: hickseydr master-1.2.x * r2515b3655fb0 /images/rss.png: Fix #11223: RSS image has execute permission bits set11:46
CIA-21Mantisbt: hickseydr * re95b87a3df62 /images/rss.png: Fix #11223: RSS image has execute permission bits set11:46
paulr_lo dhx_m11:48
dhx_mpaulr_: hey11:48
paulr_erm11:48
paulr_-<?php echo project_get_name( $v_project_id ) ?>11:49
paulr_+<?php echo string_display_line( project_get_name( $v_project_id ) )11:49
paulr_project names shouldn't be an issue?11:49
paulr_i.e. we dont allow < > etc in them do we?11:49
dhx_mwe do11:49
paulr_w.t.f.?11:49
dhx_mdon't ask me :p11:49
paulr_are you sure?11:49
paulr_or well11:49
paulr_nice11:49
paulr_v. nice11:49
paulr_so basically11:50
paulr_:(11:50
dhx_mbasically every thing internally within Mantis is hostile11:50
dhx_ms/thing/string11:50
dhx_mand it has to be parsed correctly before being used in an SQL query, REGEX pattern or being output to the user (via HTML, SOAP, CSV, etc)11:50
dhx_mI guess that has the advantage of if an SQL injection attack does happen on a table... someone inserting HTML won't have any impact :)11:52
paulr_well sql injection we should block11:57
paulr_xss is another matter11:57
paulr_but i wasn't aware of xss via project-name11:58
paulr_so kinda confused11:58
paulr_(and i've done scan's with various apps e.g. ibm's appscan)11:58
dhx_mthose generally only work by passing in arguments to forms12:20
dhx_mand seeing if the resulting page shows those "canaries"12:20
dhx_mwhereas I went through and found every text box Mantis has12:20
dhx_mand inserted <script>alert(x);</script> where x is a tracking number I used12:21
dhx_mto differentiate between fields causing problems12:21
dhx_mand then I went through all the Mantis pages I could find12:25
dhx_mclicking every link/button12:25
dhx_mto see if I could find any XSS problems12:25
paulr_dhx_m: I'm still not convinced :P15:03
paulr_unless ofc people broke stuff15:03
paulr_as i've had a pc program that basically does that15:03
* nuclear_eclipse blames daryn 15:03
paulr_tends to do ~100,000 requests to complete a run15:03
paulr_and in the past, we've been mainly clean15:03
paulr_nuclear_eclipse: was you aware that project name can have xss?15:04
paulr_or more can you recall any changes to this15:04
nuclear_eclipseI dunno15:04
paulr_well15:05
* paulr_ not impressed :)15:05
nuclear_eclipseyou rarely are ;)15:06
nuclear_eclipsedhx_m: why are we sanitizing the date format?!15:10
paulr_:)15:11
paulr_i've added that to something to patch :P15:11
paulr_number 21 on the list15:11
paulr_(of things i've not got around to whinging/fixing since july :((()15:11
paulr_the reason i'm a bit surprised is15:12
paulr_i've run my scanners against 1.115:12
paulr_and probably 1.2 from say 9-12 months ago (i'd need to check date)15:12
paulr_so really, things that need patching should have been introduced in last 12 months15:12
paulr_I can't really believe we've introduced so many bugs in 12 months ;p15:13
darynwait...what are you blaming me for?15:15
nuclear_eclipsemost of these changes I can understand; I for one didn't think that user_get_name wasn't sanitized because I just copied how it wa used everywhere else -- but sanitizing a date string seems more than unnecessary15:15
nuclear_eclipsedaryn: I needed a scapegoat; congratulations :)15:16
darynah...well, i haven't committed much of anything in the last twelve months so I think i'm relatively safe15:16
heraclidehello :)15:51
heraclidei don't find out how to have custom fieds depending on category or on other custom fields when reporting a bug ?15:52
heraclidelike for example, people get in sys admin projet, wanna report a problem, they have to choose between account problem, rights problem, dns problem15:53
heraclideand depending on what they choose, they have to fill some custom fields ?15:53
nuclear_eclipseheraclide: there's no way to dynamically hide/show custom fields15:53
heraclidedoh doh doh :(15:53
heraclideI have to use sub-projects ?15:54
nuclear_eclipseperhaps15:54
heraclideoki doki :)15:54
heraclidethanks :)15:54
nuclear_eclipseheraclide: you could potentially implement what you're wanting with a plugin15:55
nuclear_eclipsebut it would require much more effort to implement than creating sub-projects =\15:56
heraclideyes :(15:59
heraclideand I have not that much time :(16:00
heraclidebonne soiree tlm :)18:01
darynnuclear_eclipse around?18:29
* paulr_ moos18:52
paulr_daryn_: what you broken?18:52
daryn_?18:52
paulr_:)18:53
daryn_my network config sucks18:53
nuclear_eclipsedaryn_: here now19:11
daryn_hi19:11
daryn_i was wondering about adding jquery plugins to the jquery plugin...that sounds weird19:12
nuclear_eclipseyou mean you want some of the plugins for jquery included in the mantis plugin? :P19:12
daryn_bingo19:13
daryn_i tried to add but it's not working19:13
daryn_i added the files and the script tag to the resources output19:13
daryn_but when the browser tries to load it it is not recognizing the file.19:14
nuclear_eclipsehmm, you have a patch you can lend me?19:17
daryn_it's sending an xhtml doctype19:17
daryn_m...sure19:17
daryn_emailed19:23
nuclear_eclipseI'm not seeing anything in my inbox from you..19:26
daryn_hm...i can pastebin it but its over 700 lines19:27
daryn_just due to the new jquery file19:27
nuclear_eclipseyeah... =\19:28
nuclear_eclipsecan you just paste a diff to the jQuery.php?19:28
daryn_yeah19:28
nuclear_eclipsenvm19:29
daryn_ok19:29
nuclear_eclipsejust got the email19:29
nuclear_eclipseI think it's the "jquery-ui.min.js19:31
nuclear_eclipseplugin_file.php only accepts filenames with a single period for security reasons19:32
daryn_if i hardcode the path it works19:33
daryn_ah...19:33
nuclear_eclipseie, I didn't want to somehow let a "../.." type of thing slip past19:33
daryn_let me try that19:33
nuclear_eclipsethat sort of vulnerability would be huge19:33
daryn_yep. wasn't thinking about that19:33
nuclear_eclipseie, it could allow someone to form a uri that could expose any file that Apache/PHP has access to19:34
daryn_that did it. thanks19:34
nuclear_eclipsenp19:34
dhx_mnuclear_eclipse: I just escaped dates in case they contain some special character such as &23:33
dhx_mnuclear_eclipse: more for consistency than anything else23:33
dhx_mpaulr_: those bugs I found have been around for a long time and as I said previously, most scanners wouldn't be able to pick them up23:34
dhx_mpaulr_: the reason being that they don't understand how to create new projects, new bugs, etc23:34
« Monday, 2009-11-30 Index Wednesday, 2009-12-02 »

Generated by irclog2html.py