MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0012312mantisbtsecuritypublic2010-08-31 06:162011-08-02 12:35
Reporteracunetix 
Assigned Todhx 
PrioritynormalSeverityblockReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.2 
Target Version1.2.3Fixed in Version1.2.3 
Summary0012312: NuSOAP WSDL XSS (cross-site scripting vulnerability) in Mantis 1.2.2
DescriptionHello!

My name is Bogdan Calin. I'm a security researcher at Acunetix (http://www.acunetix.com [^]).
You can contact me at this email address: bogdan [at] acunetix.com

While beta testing the latest version of our product (Acunetix WVS v7) we found a number of security vulnerabilities in various web applications.

The following vulnerabilities were found in Mantis (Version 1.2.2).

1. XSS in "/mantisbt_1_2_2/api/soap/mantisconnect.php"
URI was set to 1<ScRiPt>prompt(923395)</ScRiPt>
The input is reflected inside a text element.
The input is reflected inside a tag element between double quotes.

Sample HTTP request to reproduce the problem:

GET /mantisbt_1_2_2/api/soap/mantisconnect.php/1%3CScRiPt%3Eprompt(923395)%3C/ScRiPt%3E HTTP/1.1
Cookie: PHPSESSID=4a181a89451adb7b5d459ea3252b1f4a; MANTIS_secure_session=0; MANTIS_PROJECT_COOKIE=0
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

If you have questions about these issues, please contact me by email.

Thanks in advance,
Bogdan
Steps To Reproduce1. Visit http://webapps7/mantisbt_1_2_2/api/soap/mantisconnect.php/1%3CScRiPt%3Eprompt(923395)%3C/ScRiPt%3E [^]
2. See a popup window that is confirming the XSS vulnerability.
TagsNo tags attached.
Attached Filestxt file icon vulnerable_code.txt [^] (1,421 bytes) 2010-08-31 09:03 [Show Content]

- Relationships

-  Notes
User avatar (0026528)
dhx (developer)
2010-08-31 06:35

Thanks for the descriptive and informative bug report Bogdan.

If it's OK I'd like to print and frame this bug as one of the few examples we have of what defines a good bug report :)

I'll try and have this fixed shortly. I've also CC'd in Robert (our SOAP/MantisConnect specialist) and John (most likely person to roll out MantisBT 1.2.3).

Thanks again for finding this XSS bug (in a place most people wouldn't think of looking) and reporting it here so descriptively.
User avatar (0026529)
acunetix (reporter)
2010-08-31 06:43

Sure, I'm glad that I could help and that my report is good :)
User avatar (0026531)
dhx (developer)
2010-08-31 09:02
edited on: 2010-08-31 09:03

It seems you've uncovered a flaw in NuSOAP itself.

{please see attached vulnerable_code.txt file for the snippet of interest from class.wsdl.php bundled with NuSOAP}

I don't quite get the joke? variable names they've used in this horrible bit of code. Essentially they're not escaping variables/user-data before outputting it to HTML.

I'm guessing there are many more web applications (not just MantisBT) affected by this NuSOAP issue.

User avatar (0026535)
acunetix (reporter)
2010-08-31 10:54

Thanks dhx. I've been reporting vulnerabilities all week and didn't had time to investigate each of them properly. I will contact the NuSOAP guys to fix their code. If it's their code they should fix the problem, not you. Yes, I've quickly checked and there are many applications using NuSOAP.
User avatar (0026553)
dhx (developer)
2010-09-02 07:53

Upstream bug report for reference purposes: http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005 [^]

Thank you for reporting the issue upstream.

I'll attach a patch here in one moment (which I'll apply to our bundled version of NuSOAP). Their project seems a little bit dead to me so I doubt we'll see a fast upstream response on this issue :(
User avatar (0026554)
dhx (developer)
2010-09-02 08:04

This problem should now be fixed in MantisBT ready for the next release. If upstream makes a new release which resolves the problem we'll bundle the newer release with MantisBT (undoing the patch I have provided in this bug report).

Thanks Bodgan for your assistance and very helpful reporting :)
User avatar (0026555)
oberger (reporter)
2010-09-02 09:09

@dhx: no, nusoap upstream is not dead AFAIK. Scott Nichol is alive and working on nusoap from time to time.

Btw, it seems to me that servers using the suhosin patch for PHP may be protected, as is the case on one Debian system I've tried and reproduce the problem.

Best regards,
User avatar (0026577)
oberger (reporter)
2010-09-04 13:51

Note that the patch may be improved... see recent discussion in upstream forum
User avatar (0026697)
giallu (developer)
2010-09-13 03:01

The CVE identifier of CVE-2010-3070 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2010/09/07/4 [^]

- Related Changesets
MantisBT: master edb81799
Timestamp: 2010-09-02 11:51:21
Author: dhx
Details ] Diff ]
Fix 0012312: NuSOAP web description XSS vulnerability

Bogdan Calin from Acunetix discovered a number of XSS vulnerabilities in
NuSOAP 0.9.5 (bundled with MantisBT) relating to improperly escaped
URLs.

A sample exploit URL is:
/api/soap/mantisconnect.php?1<ScRiPt>prompt(923395)</ScRiPt>

The upstream report for these XSS flaws in NuSOAP is located at the
following URL:
http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005 [^]

This patch provides an interim fix for MantisBT users until upstream
makes a new release.
mod - library/nusoap/nusoap.php Diff ] File ]
mod - library/nusoap/class.wsdl.php Diff ] File ]
MantisBT: master-1.2.x 6b2e7153
Timestamp: 2010-09-02 11:51:21
Author: dhx
Details ] Diff ]
Fix 0012312: NuSOAP web description XSS vulnerability

Bogdan Calin from Acunetix discovered a number of XSS vulnerabilities in
NuSOAP 0.9.5 (bundled with MantisBT) relating to improperly escaped
URLs.

A sample exploit URL is:
/api/soap/mantisconnect.php?1<ScRiPt>prompt(923395)</ScRiPt>

The upstream report for these XSS flaws in NuSOAP is located at the
following URL:
http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005 [^]

This patch provides an interim fix for MantisBT users until upstream
makes a new release.
mod - library/nusoap/nusoap.php Diff ] File ]
mod - library/nusoap/class.wsdl.php Diff ] File ]
MantisBT: master c4f0d68e
Timestamp: 2010-09-02 11:58:37
Author: dhx
Details ] Diff ]
Issue 0012312: Provide patch for NuSOAP XSS fix and update README.libs
add - library/nusoap/0001-Fix-12312-NuSOAP-web-description-XSS-vulnerability.patch Diff ] File ]
mod - library/README.libs Diff ] File ]
MantisBT: master-1.2.x bce955ce
Timestamp: 2010-09-02 11:58:37
Author: dhx
Details ] Diff ]
Issue 0012312: Provide patch for NuSOAP XSS fix and update README.libs
mod - library/README.libs Diff ] File ]
add - library/nusoap/0001-Fix-12312-NuSOAP-web-description-XSS-vulnerability.patch Diff ] File ]

- Issue History
Date Modified Username Field Change
2010-08-31 06:16 acunetix New Issue
2010-08-31 06:35 dhx Note Added: 0026528
2010-08-31 06:35 dhx Assigned To => dhx
2010-08-31 06:35 dhx Status new => assigned
2010-08-31 06:36 dhx Severity minor => block
2010-08-31 06:36 dhx Target Version => 1.2.3
2010-08-31 06:43 acunetix Note Added: 0026529
2010-08-31 09:02 dhx Note Added: 0026531
2010-08-31 09:03 dhx Note Edited: 0026531 View Revisions
2010-08-31 09:03 dhx File Added: vulnerable_code.txt
2010-08-31 10:54 acunetix Note Added: 0026535
2010-09-02 07:53 dhx Note Added: 0026553
2010-09-02 08:01 dhx Changeset attached => MantisBT master c4f0d68e
2010-09-02 08:01 dhx Changeset attached => MantisBT master edb81799
2010-09-02 08:01 dhx Changeset attached => MantisBT master-1.2.x bce955ce
2010-09-02 08:01 dhx Changeset attached => MantisBT master-1.2.x 6b2e7153
2010-09-02 08:01 dhx Resolution open => fixed
2010-09-02 08:01 dhx Fixed in Version => 1.2.3
2010-09-02 08:01 dhx Resolution fixed => open
2010-09-02 08:01 dhx Fixed in Version 1.2.3 =>
2010-09-02 08:01 dhx View Status private => public
2010-09-02 08:04 dhx Note Added: 0026554
2010-09-02 08:04 dhx Status assigned => resolved
2010-09-02 08:04 dhx Fixed in Version => 1.2.3
2010-09-02 08:04 dhx Resolution open => fixed
2010-09-02 09:09 oberger Note Added: 0026555
2010-09-04 13:51 oberger Note Added: 0026577
2010-09-13 03:01 giallu Note Added: 0026697
2010-09-14 09:35 dhx Summary XSS (cross-site scripting vulnerability) in Mantis 1.2.2 => NuSOAP WSDL XSS (cross-site scripting vulnerability) in Mantis 1.2.2
2011-08-02 12:35 dregad Status resolved => closed


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.0832 seconds.
memory usage: 3,058 KB
Powered by Mantis Bugtracker