Mantis Bug Tracker Content Security Policy Bypass Vulnerability Allowing Cross-Site Scripting

A Content Security Policy (CSP) bypass vulnerability has been identified in Mantis Bug Tracker (MantisBT) versions 2.28.1 and prior. This vulnerability allows an attacker to execute scripts by exploiting existing Cross-Site Scripting (XSS) or HTML injection flaws. By uploading a malicious attachment to an issue, which is then downloaded through the file_download.php link, the attachment can be executed as a script if it is recognized as a valid JavaScript MIME type by PHP's fileinfo function. The issue arises because the X-Content-Type-Options header is set to nosniff, requiring JavaScript files to have a valid MIME type to be executed.

Impact

Exploitation of this vulnerability can lead to Cross-Site Scripting (XSS) attacks, allowing for the execution of malicious scripts in the context of the user.

Reproduction

To reproduce this vulnerability, first upload a file containing a JavaScript payload to an issue. The file must be uploaded as an attachment and should include a valid JavaScript MIME type, such as 'application/javascript'. Once the file is uploaded, obtain the download link for the file through the file_download.php endpoint. Then, exploit an existing HTML injection vulnerability by injecting a script tag that references the downloaded file. When the injected script is executed, the Cross-Site Scripting vulnerability is successfully exploited.

Remediation

Users can update to MantisBT version 2.28.2 or later, where this vulnerability has been fixed.