View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0012312 | mantisbt | security | public | 2010-08-31 06:16 | 2011-08-02 12:35 |
Reporter | acunetix | Assigned To | dhx | ||
Priority | normal | Severity | block | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.2 | ||||
Target Version | 1.2.3 | Fixed in Version | 1.2.3 | ||
Summary | 0012312: NuSOAP WSDL XSS (cross-site scripting vulnerability) in Mantis 1.2.2 | ||||
Description | Hello! My name is Bogdan Calin. I'm a security researcher at Acunetix (http://www.acunetix.com). While beta testing the latest version of our product (Acunetix WVS v7) we found a number of security vulnerabilities in various web applications. The following vulnerabilities were found in Mantis (Version 1.2.2).
Sample HTTP request to reproduce the problem: GET /mantisbt_1_2_2/api/soap/mantisconnect.php/1%3CScRiPt%3Eprompt(923395)%3C/ScRiPt%3E HTTP/1.1 If you have questions about these issues, please contact me by email. Thanks in advance, | ||||
Steps To Reproduce |
| ||||
Tags | No tags attached. | ||||
Attached Files | vulnerable_code.txt (1,421 bytes)
<div class=content> <br><br> <div class=title>'.$this->serviceName.'</div> <div class=nav> <p>View the <a href="'.$PHP_SELF.'?wsdl">WSDL</a> for the service. Click on an operation name to view it's details.</p> <ul>'; foreach($this->getOperations() as $op => $data){ $b .= "<li><a href='#' onclick=\"popout();popup('$op')\">$op</a></li>"; // create hidden div $b .= "<div id='$op' class='hidden'> <a href='#' onclick='popout()'><font color='#ffffff'>Close</font></a><br><br>"; foreach($data as $donnie => $marie){ // loop through opdata if($donnie == 'input' || $donnie == 'output'){ // show input/output data $b .= "<font color='white'>".ucfirst($donnie).':</font><br>'; foreach($marie as $captain => $tenille){ // loop through data if($captain == 'parts'){ // loop thru parts $b .= " $captain:<br>"; //if(is_array($tenille)){ foreach($tenille as $joanie => $chachi){ $b .= " $joanie: $chachi<br>"; } //} } else { $b .= " $captain: $tenille<br>"; } } } else { $b .= "<font color='white'>".ucfirst($donnie).":</font> $marie<br>"; } } $b .= '</div>'; } $b .= ' <ul> </div> </div></body></html>'; | ||||
Thanks for the descriptive and informative bug report Bogdan. If it's OK I'd like to print and frame this bug as one of the few examples we have of what defines a good bug report :) I'll try and have this fixed shortly. I've also CC'd in Robert (our SOAP/MantisConnect specialist) and John (most likely person to roll out MantisBT 1.2.3). Thanks again for finding this XSS bug (in a place most people wouldn't think of looking) and reporting it here so descriptively. |
|
Sure, I'm glad that I could help and that my report is good :) |
|
It seems you've uncovered a flaw in NuSOAP itself. {please see attached vulnerable_code.txt file for the snippet of interest from class.wsdl.php bundled with NuSOAP} I don't quite get the joke? variable names they've used in this horrible bit of code. Essentially they're not escaping variables/user-data before outputting it to HTML. I'm guessing there are many more web applications (not just MantisBT) affected by this NuSOAP issue. |
|
Thanks dhx. I've been reporting vulnerabilities all week and didn't had time to investigate each of them properly. I will contact the NuSOAP guys to fix their code. If it's their code they should fix the problem, not you. Yes, I've quickly checked and there are many applications using NuSOAP. |
|
Upstream bug report for reference purposes: http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005 Thank you for reporting the issue upstream. I'll attach a patch here in one moment (which I'll apply to our bundled version of NuSOAP). Their project seems a little bit dead to me so I doubt we'll see a fast upstream response on this issue :( |
|
This problem should now be fixed in MantisBT ready for the next release. If upstream makes a new release which resolves the problem we'll bundle the newer release with MantisBT (undoing the patch I have provided in this bug report). Thanks Bodgan for your assistance and very helpful reporting :) |
|
@dhx: no, nusoap upstream is not dead AFAIK. Scott Nichol is alive and working on nusoap from time to time. Btw, it seems to me that servers using the suhosin patch for PHP may be protected, as is the case on one Debian system I've tried and reproduce the problem. Best regards, |
|
Note that the patch may be improved... see recent discussion in upstream forum |
|
The CVE identifier of CVE-2010-3070 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2010/09/07/4 |
|
MantisBT: master edb81799 2010-09-02 07:51 Details Diff |
Fix 0012312: NuSOAP web description XSS vulnerability Bogdan Calin from Acunetix discovered a number of XSS vulnerabilities in NuSOAP 0.9.5 (bundled with MantisBT) relating to improperly escaped URLs. A sample exploit URL is: /api/soap/mantisconnect.php?1<ScRiPt>prompt(923395)</ScRiPt> The upstream report for these XSS flaws in NuSOAP is located at the following URL: http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005 This patch provides an interim fix for MantisBT users until upstream makes a new release. |
Affected Issues 0012312 |
|
mod - library/nusoap/nusoap.php | Diff File | ||
mod - library/nusoap/class.wsdl.php | Diff File | ||
MantisBT: master-1.2.x 6b2e7153 2010-09-02 07:51 Details Diff |
Fix 0012312: NuSOAP web description XSS vulnerability Bogdan Calin from Acunetix discovered a number of XSS vulnerabilities in NuSOAP 0.9.5 (bundled with MantisBT) relating to improperly escaped URLs. A sample exploit URL is: /api/soap/mantisconnect.php?1<ScRiPt>prompt(923395)</ScRiPt> The upstream report for these XSS flaws in NuSOAP is located at the following URL: http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005 This patch provides an interim fix for MantisBT users until upstream makes a new release. |
Affected Issues 0012312 |
|
mod - library/nusoap/nusoap.php | Diff File | ||
mod - library/nusoap/class.wsdl.php | Diff File | ||
MantisBT: master c4f0d68e 2010-09-02 07:58 Details Diff |
Issue 0012312: Provide patch for NuSOAP XSS fix and update README.libs |
Affected Issues 0012312 |
|
add - library/nusoap/0001-Fix-12312-NuSOAP-web-description-XSS-vulnerability.patch | Diff File | ||
mod - library/README.libs | Diff File | ||
MantisBT: master-1.2.x bce955ce 2010-09-02 07:58 Details Diff |
Issue 0012312: Provide patch for NuSOAP XSS fix and update README.libs |
Affected Issues 0012312 |
|
mod - library/README.libs | Diff File | ||
add - library/nusoap/0001-Fix-12312-NuSOAP-web-description-XSS-vulnerability.patch | Diff File |