0012312: NuSOAP WSDL XSS (cross-site scripting vulnerability) in Mantis 1.2.2

(0026528)
dhx (developer)
2010-08-31 06:35

Thanks for the descriptive and informative bug report Bogdan.

If it's OK I'd like to print and frame this bug as one of the few examples we have of what defines a good bug report :)

I'll try and have this fixed shortly. I've also CC'd in Robert (our SOAP/MantisConnect specialist) and John (most likely person to roll out MantisBT 1.2.3).

Thanks again for finding this XSS bug (in a place most people wouldn't think of looking) and reporting it here so descriptively.

(0026529)
acunetix (reporter)
2010-08-31 06:43

Sure, I'm glad that I could help and that my report is good :)

(0026531)
dhx (developer)
2010-08-31 09:02
edited on: 2010-08-31 09:03

It seems you've uncovered a flaw in NuSOAP itself.

{please see attached vulnerable_code.txt file for the snippet of interest from class.wsdl.php bundled with NuSOAP}

I don't quite get the joke? variable names they've used in this horrible bit of code. Essentially they're not escaping variables/user-data before outputting it to HTML.

I'm guessing there are many more web applications (not just MantisBT) affected by this NuSOAP issue.

(0026535)
acunetix (reporter)
2010-08-31 10:54

Thanks dhx. I've been reporting vulnerabilities all week and didn't had time to investigate each of them properly. I will contact the NuSOAP guys to fix their code. If it's their code they should fix the problem, not you. Yes, I've quickly checked and there are many applications using NuSOAP.

(0026553)
dhx (developer)
2010-09-02 07:53

Upstream bug report for reference purposes: http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005 [^]

Thank you for reporting the issue upstream.

I'll attach a patch here in one moment (which I'll apply to our bundled version of NuSOAP). Their project seems a little bit dead to me so I doubt we'll see a fast upstream response on this issue :(

(0026554)
dhx (developer)
2010-09-02 08:04

This problem should now be fixed in MantisBT ready for the next release. If upstream makes a new release which resolves the problem we'll bundle the newer release with MantisBT (undoing the patch I have provided in this bug report).

Thanks Bodgan for your assistance and very helpful reporting :)

(0026555)
oberger (reporter)
2010-09-02 09:09

@dhx: no, nusoap upstream is not dead AFAIK. Scott Nichol is alive and working on nusoap from time to time.

Btw, it seems to me that servers using the suhosin patch for PHP may be protected, as is the case on one Debian system I've tried and reproduce the problem.

Best regards,

(0026577)
oberger (reporter)
2010-09-04 13:51

Note that the patch may be improved... see recent discussion in upstream forum

(0026697)
giallu (developer)
2010-09-13 03:01

The CVE identifier of CVE-2010-3070 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2010/09/07/4 [^]

Related Changesets
MantisBT: master edb81799 Timestamp: 2010-09-02 11:51:21 Author: dhx [ Details ] [ Diff ]	Fix 0012312: NuSOAP web description XSS vulnerability Bogdan Calin from Acunetix discovered a number of XSS vulnerabilities in NuSOAP 0.9.5 (bundled with MantisBT) relating to improperly escaped URLs. A sample exploit URL is: /api/soap/mantisconnect.php?1<ScRiPt>prompt(923395)</ScRiPt> The upstream report for these XSS flaws in NuSOAP is located at the following URL: http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005 [^] This patch provides an interim fix for MantisBT users until upstream makes a new release.
	mod - library/nusoap/nusoap.php	[ Diff ] [ File ]
	mod - library/nusoap/class.wsdl.php	[ Diff ] [ File ]

MantisBT: master-1.2.x 6b2e7153 Timestamp: 2010-09-02 11:51:21 Author: dhx [ Details ] [ Diff ]	Fix 0012312: NuSOAP web description XSS vulnerability Bogdan Calin from Acunetix discovered a number of XSS vulnerabilities in NuSOAP 0.9.5 (bundled with MantisBT) relating to improperly escaped URLs. A sample exploit URL is: /api/soap/mantisconnect.php?1<ScRiPt>prompt(923395)</ScRiPt> The upstream report for these XSS flaws in NuSOAP is located at the following URL: http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005 [^] This patch provides an interim fix for MantisBT users until upstream makes a new release.
	mod - library/nusoap/nusoap.php	[ Diff ] [ File ]
	mod - library/nusoap/class.wsdl.php	[ Diff ] [ File ]

MantisBT: master c4f0d68e Timestamp: 2010-09-02 11:58:37 Author: dhx [ Details ] [ Diff ]	Issue 0012312: Provide patch for NuSOAP XSS fix and update README.libs
	add - library/nusoap/0001-Fix-12312-NuSOAP-web-description-XSS-vulnerability.patch	[ Diff ] [ File ]
	mod - library/README.libs	[ Diff ] [ File ]

MantisBT: master-1.2.x bce955ce Timestamp: 2010-09-02 11:58:37 Author: dhx [ Details ] [ Diff ]	Issue 0012312: Provide patch for NuSOAP XSS fix and update README.libs
	mod - library/README.libs	[ Diff ] [ File ]
	add - library/nusoap/0001-Fix-12312-NuSOAP-web-description-XSS-vulnerability.patch	[ Diff ] [ File ]

Issue History
Date Modified	Username	Field	Change
2010-08-31 06:16	acunetix	New Issue
2010-08-31 06:35	dhx	Note Added: 0026528
2010-08-31 06:35	dhx	Assigned To	=> dhx
2010-08-31 06:35	dhx	Status	new => assigned
2010-08-31 06:36	dhx	Severity	minor => block
2010-08-31 06:36	dhx	Target Version	=> 1.2.3
2010-08-31 06:43	acunetix	Note Added: 0026529
2010-08-31 09:02	dhx	Note Added: 0026531
2010-08-31 09:03	dhx	Note Edited: 0026531	View Revisions
2010-08-31 09:03	dhx	File Added: vulnerable_code.txt
2010-08-31 10:54	acunetix	Note Added: 0026535
2010-09-02 07:53	dhx	Note Added: 0026553
2010-09-02 08:01	dhx	Changeset attached	=> MantisBT master c4f0d68e
2010-09-02 08:01	dhx	Changeset attached	=> MantisBT master edb81799
2010-09-02 08:01	dhx	Changeset attached	=> MantisBT master-1.2.x bce955ce
2010-09-02 08:01	dhx	Changeset attached	=> MantisBT master-1.2.x 6b2e7153
2010-09-02 08:01	dhx	Resolution	open => fixed
2010-09-02 08:01	dhx	Fixed in Version	=> 1.2.3
2010-09-02 08:01	dhx	Resolution	fixed => open
2010-09-02 08:01	dhx	Fixed in Version	1.2.3 =>
2010-09-02 08:01	dhx	View Status	private => public
2010-09-02 08:04	dhx	Note Added: 0026554
2010-09-02 08:04	dhx	Status	assigned => resolved
2010-09-02 08:04	dhx	Fixed in Version	=> 1.2.3
2010-09-02 08:04	dhx	Resolution	open => fixed
2010-09-02 09:09	oberger	Note Added: 0026555
2010-09-04 13:51	oberger	Note Added: 0026577
2010-09-13 03:01	giallu	Note Added: 0026697
2010-09-14 09:35	dhx	Summary	XSS (cross-site scripting vulnerability) in Mantis 1.2.2 => NuSOAP WSDL XSS (cross-site scripting vulnerability) in Mantis 1.2.2
2011-08-02 12:35	dregad	Status	resolved => closed

Notes
(0026528) dhx (developer) 2010-08-31 06:35	Thanks for the descriptive and informative bug report Bogdan. If it's OK I'd like to print and frame this bug as one of the few examples we have of what defines a good bug report :) I'll try and have this fixed shortly. I've also CC'd in Robert (our SOAP/MantisConnect specialist) and John (most likely person to roll out MantisBT 1.2.3). Thanks again for finding this XSS bug (in a place most people wouldn't think of looking) and reporting it here so descriptively.

(0026529) acunetix (reporter) 2010-08-31 06:43	Sure, I'm glad that I could help and that my report is good :)

(0026531) dhx (developer) 2010-08-31 09:02 edited on: 2010-08-31 09:03	It seems you've uncovered a flaw in NuSOAP itself. {please see attached vulnerable_code.txt file for the snippet of interest from class.wsdl.php bundled with NuSOAP} I don't quite get the joke? variable names they've used in this horrible bit of code. Essentially they're not escaping variables/user-data before outputting it to HTML. I'm guessing there are many more web applications (not just MantisBT) affected by this NuSOAP issue.

(0026535) acunetix (reporter) 2010-08-31 10:54	Thanks dhx. I've been reporting vulnerabilities all week and didn't had time to investigate each of them properly. I will contact the NuSOAP guys to fix their code. If it's their code they should fix the problem, not you. Yes, I've quickly checked and there are many applications using NuSOAP.

(0026553) dhx (developer) 2010-09-02 07:53	Upstream bug report for reference purposes: http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005 [^] Thank you for reporting the issue upstream. I'll attach a patch here in one moment (which I'll apply to our bundled version of NuSOAP). Their project seems a little bit dead to me so I doubt we'll see a fast upstream response on this issue :(

(0026554) dhx (developer) 2010-09-02 08:04	This problem should now be fixed in MantisBT ready for the next release. If upstream makes a new release which resolves the problem we'll bundle the newer release with MantisBT (undoing the patch I have provided in this bug report). Thanks Bodgan for your assistance and very helpful reporting :)

(0026555) oberger (reporter) 2010-09-02 09:09	@dhx: no, nusoap upstream is not dead AFAIK. Scott Nichol is alive and working on nusoap from time to time. Btw, it seems to me that servers using the suhosin patch for PHP may be protected, as is the case on one Debian system I've tried and reproduce the problem. Best regards,

(0026577) oberger (reporter) 2010-09-04 13:51	Note that the patch may be improved... see recent discussion in upstream forum

(0026697) giallu (developer) 2010-09-13 03:01	The CVE identifier of CVE-2010-3070 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2010/09/07/4 [^]

Relationships