CVE-2010-3070

Vulnerability

A cross-site scripting (XSS) vulnerability exists in NuSOAP version 0.9.5, as used in MantisBT and other products. The flaw resides in the class.wsdl.php file of the NuSOAP library, where user-controlled data from $_SERVER['PHP_SELF'] (the PATH_INFO) is not properly sanitized before being output to HTML [1]. This allows an attacker to inject arbitrary web script or HTML via the PATH_INFO to any PHP script that uses NuSOAP classes [2]. MantisBT versions before 1.2.3 are affected [4].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL that contains a payload in the PATH_INFO component. The attack requires no authentication; a remote attacker simply sends the crafted URL to a target running a vulnerable application. The server processes the request through a PHP script that leverages NuSOAP classes, and the unsanitized PATH_INFO is echoed back in the generated WSDL output, executing the injected script in the user's browser [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript or HTML in the context of the victim's browser session. This can lead to theft of session cookies, redirection to malicious sites, or other client-side attacks, potentially compromising user accounts or sensitive data [1][2].

Mitigation

The vulnerability is fixed in MantisBT version 1.2.3, which includes a patched version of NuSOAP (with htmlentities() escaping applied) [1][4]. A patch was also submitted to the upstream NuSOAP project [1]. Users of MantisBT should upgrade to version 1.2.3 or later. For other applications using NuSOAP, applying the upstream patch or sanitizing $_SERVER['PHP_SELF'] before output is recommended [2][3].