View Issue Details

IDProjectCategoryView StatusLast Update
0012312mantisbtsecuritypublic2011-08-02 12:35
Reporteracunetix Assigned Todhx  
PrioritynormalSeverityblockReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.2 
Target Version1.2.3Fixed in Version1.2.3 
Summary0012312: NuSOAP WSDL XSS (cross-site scripting vulnerability) in Mantis 1.2.2
Description

Hello!

My name is Bogdan Calin. I'm a security researcher at Acunetix (http://www.acunetix.com).
You can contact me at this email address: bogdan [at] acunetix.com

While beta testing the latest version of our product (Acunetix WVS v7) we found a number of security vulnerabilities in various web applications.

The following vulnerabilities were found in Mantis (Version 1.2.2).

  1. XSS in "/mantisbt_1_2_2/api/soap/mantisconnect.php"
    URI was set to 1<ScRiPt>prompt(923395)</ScRiPt>
    The input is reflected inside a text element.
    The input is reflected inside a tag element between double quotes.

Sample HTTP request to reproduce the problem:

GET /mantisbt_1_2_2/api/soap/mantisconnect.php/1%3CScRiPt%3Eprompt(923395)%3C/ScRiPt%3E HTTP/1.1
Cookie: PHPSESSID=4a181a89451adb7b5d459ea3252b1f4a; MANTIS_secure_session=0; MANTIS_PROJECT_COOKIE=0
Host: webapps7:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

If you have questions about these issues, please contact me by email.

Thanks in advance,
Bogdan

Steps To Reproduce
  1. Visit http://webapps7/mantisbt_1_2_2/api/soap/mantisconnect.php/1%3CScRiPt%3Eprompt(923395)%3C/ScRiPt%3E
  2. See a popup window that is confirming the XSS vulnerability.
TagsNo tags attached.
Attached Files
vulnerable_code.txt (1,421 bytes)   
		<div class=content>
			<br><br>
			<div class=title>'.$this->serviceName.'</div>
			<div class=nav>
				<p>View the <a href="'.$PHP_SELF.'?wsdl">WSDL</a> for the service.
				Click on an operation name to view it&apos;s details.</p>
				<ul>';
				foreach($this->getOperations() as $op => $data){
				    $b .= "<li><a href='#' onclick=\"popout();popup('$op')\">$op</a></li>";
				    // create hidden div
				    $b .= "<div id='$op' class='hidden'>
				    <a href='#' onclick='popout()'><font color='#ffffff'>Close</font></a><br><br>";
				    foreach($data as $donnie => $marie){ // loop through opdata
						if($donnie == 'input' || $donnie == 'output'){ // show input/output data
						    $b .= "<font color='white'>".ucfirst($donnie).':</font><br>';
						    foreach($marie as $captain => $tenille){ // loop through data
								if($captain == 'parts'){ // loop thru parts
								    $b .= "&nbsp;&nbsp;$captain:<br>";
					                //if(is_array($tenille)){
								    	foreach($tenille as $joanie => $chachi){
											$b .= "&nbsp;&nbsp;&nbsp;&nbsp;$joanie: $chachi<br>";
								    	}
					        		//}
								} else {
								    $b .= "&nbsp;&nbsp;$captain: $tenille<br>";
								}
						    }
						} else {
						    $b .= "<font color='white'>".ucfirst($donnie).":</font> $marie<br>";
						}
				    }
					$b .= '</div>';
				}
				$b .= '
				<ul>
			</div>
		</div></body></html>';
vulnerable_code.txt (1,421 bytes)   

Activities

dhx

dhx

2010-08-31 06:35

reporter   ~0026528

Thanks for the descriptive and informative bug report Bogdan.

If it's OK I'd like to print and frame this bug as one of the few examples we have of what defines a good bug report :)

I'll try and have this fixed shortly. I've also CC'd in Robert (our SOAP/MantisConnect specialist) and John (most likely person to roll out MantisBT 1.2.3).

Thanks again for finding this XSS bug (in a place most people wouldn't think of looking) and reporting it here so descriptively.

acunetix

acunetix

2010-08-31 06:43

reporter   ~0026529

Sure, I'm glad that I could help and that my report is good :)

dhx

dhx

2010-08-31 09:02

reporter   ~0026531

Last edited: 2010-08-31 09:03

It seems you've uncovered a flaw in NuSOAP itself.

{please see attached vulnerable_code.txt file for the snippet of interest from class.wsdl.php bundled with NuSOAP}

I don't quite get the joke? variable names they've used in this horrible bit of code. Essentially they're not escaping variables/user-data before outputting it to HTML.

I'm guessing there are many more web applications (not just MantisBT) affected by this NuSOAP issue.

acunetix

acunetix

2010-08-31 10:54

reporter   ~0026535

Thanks dhx. I've been reporting vulnerabilities all week and didn't had time to investigate each of them properly. I will contact the NuSOAP guys to fix their code. If it's their code they should fix the problem, not you. Yes, I've quickly checked and there are many applications using NuSOAP.

dhx

dhx

2010-09-02 07:53

reporter   ~0026553

Upstream bug report for reference purposes: http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005

Thank you for reporting the issue upstream.

I'll attach a patch here in one moment (which I'll apply to our bundled version of NuSOAP). Their project seems a little bit dead to me so I doubt we'll see a fast upstream response on this issue :(

dhx

dhx

2010-09-02 08:04

reporter   ~0026554

This problem should now be fixed in MantisBT ready for the next release. If upstream makes a new release which resolves the problem we'll bundle the newer release with MantisBT (undoing the patch I have provided in this bug report).

Thanks Bodgan for your assistance and very helpful reporting :)

oberger

oberger

2010-09-02 09:09

reporter   ~0026555

@dhx: no, nusoap upstream is not dead AFAIK. Scott Nichol is alive and working on nusoap from time to time.

Btw, it seems to me that servers using the suhosin patch for PHP may be protected, as is the case on one Debian system I've tried and reproduce the problem.

Best regards,

oberger

oberger

2010-09-04 13:51

reporter   ~0026577

Note that the patch may be improved... see recent discussion in upstream forum

giallu

giallu

2010-09-13 03:01

reporter   ~0026697

The CVE identifier of CVE-2010-3070 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2010/09/07/4

Related Changesets

MantisBT: master edb81799

2010-09-02 07:51

dhx


Details Diff
Fix 0012312: NuSOAP web description XSS vulnerability

Bogdan Calin from Acunetix discovered a number of XSS vulnerabilities in
NuSOAP 0.9.5 (bundled with MantisBT) relating to improperly escaped
URLs.

A sample exploit URL is:
/api/soap/mantisconnect.php?1<ScRiPt>prompt(923395)</ScRiPt>

The upstream report for these XSS flaws in NuSOAP is located at the
following URL:
http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005

This patch provides an interim fix for MantisBT users until upstream
makes a new release.
Affected Issues
0012312
mod - library/nusoap/nusoap.php Diff File
mod - library/nusoap/class.wsdl.php Diff File

MantisBT: master-1.2.x 6b2e7153

2010-09-02 07:51

dhx


Details Diff
Fix 0012312: NuSOAP web description XSS vulnerability

Bogdan Calin from Acunetix discovered a number of XSS vulnerabilities in
NuSOAP 0.9.5 (bundled with MantisBT) relating to improperly escaped
URLs.

A sample exploit URL is:
/api/soap/mantisconnect.php?1<ScRiPt>prompt(923395)</ScRiPt>

The upstream report for these XSS flaws in NuSOAP is located at the
following URL:
http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005

This patch provides an interim fix for MantisBT users until upstream
makes a new release.
Affected Issues
0012312
mod - library/nusoap/nusoap.php Diff File
mod - library/nusoap/class.wsdl.php Diff File

MantisBT: master c4f0d68e

2010-09-02 07:58

dhx


Details Diff
Issue 0012312: Provide patch for NuSOAP XSS fix and update README.libs Affected Issues
0012312
add - library/nusoap/0001-Fix-12312-NuSOAP-web-description-XSS-vulnerability.patch Diff File
mod - library/README.libs Diff File

MantisBT: master-1.2.x bce955ce

2010-09-02 07:58

dhx


Details Diff
Issue 0012312: Provide patch for NuSOAP XSS fix and update README.libs Affected Issues
0012312
mod - library/README.libs Diff File
add - library/nusoap/0001-Fix-12312-NuSOAP-web-description-XSS-vulnerability.patch Diff File