View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0012607 | mantisbt | security | public | 2010-12-14 02:43 | 2010-12-17 04:39 |
Reporter | vboctor | Assigned To | vboctor | ||
Priority | immediate | Severity | block | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.4 | ||||
Target Version | 1.2.4 | Fixed in Version | 1.2.4 | ||
Summary | 0012607: LFI/FD and XSS in the 'upgrade_unattended.php' | ||||
Description | Thanks for responding so quickly. It's about LFI/FD and XSS in the 'upgrade_unattended.php' script thru "db_type" parameter. XSS: http://[MANTIS_ROOT_HOST]/admin/upgrade_unattended.php?db_type=%3Cscript%3Ealert%281%29%3C/script%3E PATH DISCLOSURE: http://[MANTIS_ROOT_HOST]/admin/upgrade_unattended.php?db_type=%27 The date is added as a vendor contact date. Thank you and best regards, Gjoko Krstic Zero Science Lab | ||||
Tags | No tags attached. | ||||
What is the purpose of this script? Gialuca mentioned to me on IRC that it may have originally been targeted towards upgrades from PHP CLI (for distribution package management scripts). This seems highly unlikely to work given that this script calls gpc_ functions that will not work in CLI mode ($_POST and $_GET are undefined). However I think his guess may have been close because this script returns plaintext output as opposed to HTML. If there is no longer a legitimate use for this script, can we remove it entirely? |
|
I am unable to reproduce the XSS and LFI bugs using the prepatched version of 1.2.3 (and by extension, 1.3.x). Looking at the source code the most likely issue is with ADOdb itself. The version of ADOdb shipped with MantisBT 1.2.3 and 1.3.x will take the user supplied "db_type" parameter and place it directly in the following string: /library/adodb/drivers/adodb-${db_type}.inc.php Directory traversal shouldn't be possible because the directory starting "adodb-" won't match a directory (only a file, at best). XSS shouldn't be an issue for most browsers as the page is returned as plaintext (not HTML). I imagine this is still an issue in Internet Explorer where MIME type sniffing is performed by default (and could treat the page as HTML instead of plaintext). I have confirmed the path disclosure issue (fixed in Victor's patches). |
|
Sorry, the XSS issue is confirmed in Chromium 9.0.597.16 but not Firefox 4.0b8pre (2010-12-13). I suspect Internet Explorer (all versions) is also affected because of the MIME type sniffing that goes on. |
|
I've put some more patches in place in relation to documentation of the /admin/ directory and the warning we throw on login_page.php if that directory still exists. I also updated Victor's patch to be a little bit more pedantic. For instance, returning the text/plain MIME type instead of text/html. And whitelisting certain characters [a-zA-Z0-9_] for db_type as opposed to using string_attribute (which is a bit looser). I think this is well and truly fixed now :) |
|
Please note that all 3 vulnerabilities can be reproduced on most platforms. I think the LFI depends on the web server being used as it is reproducible on Apache but I haven't had success with nginx. The XSS will generally work in every browser however Firefox 4.0b8pre has stricter MIME type handling and doesn't seem to be affected. The PD is reproducible everywhere. 1.2.4 is ready to be packaged and released. Advisories have been written by Gjoko Krstic and are also ready for release. I am on standby to report these bugs to Debian, Redhat, Gentoo, Ubuntu, Fedora, etc. Only Gentoo uses MantisBT 1.2.x so I'll make sure I send the 1.1.x patch to the other distros. |
|
1.2.4 tarballs have been released (thanks John for the quick turnaround). Advisories are on the way out. This issue is now publicly viewable. |
|
http://bugs.gentoo.org/show_bug.cgi?id=348761 https://bugzilla.redhat.com/show_bug.cgi?id=663230 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607159 https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482 |
|
Replying to first comment: yes, I think we can remove this script from the repository |
|
CVE-2010-4348: Cross site scripting |
|
MantisBT: master-1.2.x c6295994 2010-12-14 03:00 Details Diff |
Fix 0012607: LFI/FD and XSS in the upgrade_unattended.php |
Affected Issues 0012607 |
|
mod - admin/upgrade_unattended.php | Diff File | ||
MantisBT: master 2af6e8dd 2010-12-14 03:00 Details Diff |
Fix 0012607: LFI/FD and XSS in the upgrade_unattended.php |
Affected Issues 0012607 |
|
mod - admin/upgrade_unattended.php | Diff File | ||
MantisBT: master-1.2.x 1efe5be6 2010-12-14 03:24 Details Diff |
Fix 0012607: LFI/FD and XSS in the upgrade_unattended.php - part 2 |
Affected Issues 0012607 |
|
mod - admin/upgrade_unattended.php | Diff File | ||
MantisBT: master 184a0f4a 2010-12-14 03:24 Details Diff |
Fix 0012607: LFI/FD and XSS in the upgrade_unattended.php - part 2 |
Affected Issues 0012607 |
|
mod - admin/upgrade_unattended.php | Diff File | ||
MantisBT: master 974e6da4 2010-12-14 18:40 Details Diff |
Fix 0012607: LFI/PD/XSS in upgrade_unattended.php Gjoko Krstic of Zero Science Lab has kindly reported in detail a number of vulnerabilities in the admin/upgrade_unattended.php script. Earlier patches by Victor Boctor (MantisBT developer) resolved the issue. This patch enhances those changes to strengthen the security of this script even further. Please note that the "admin" directory SHOULD BE DELETED AFTER INSTALLATION on all live instances of MantisBT. |
Affected Issues 0012607 |
|
mod - admin/upgrade_unattended.php | Diff File | ||
MantisBT: master-1.2.x d67c4deb 2010-12-14 18:40 Details Diff |
Fix 0012607: LFI/PD/XSS in upgrade_unattended.php Gjoko Krstic of Zero Science Lab has kindly reported in detail a number of vulnerabilities in the admin/upgrade_unattended.php script. Earlier patches by Victor Boctor (MantisBT developer) resolved the issue. This patch enhances those changes to strengthen the security of this script even further. Please note that the "admin" directory SHOULD BE DELETED AFTER INSTALLATION on all live instances of MantisBT. |
Affected Issues 0012607 |
|
mod - admin/upgrade_unattended.php | Diff File | ||
MantisBT: master-1.1.x 2641fdc6 2010-12-14 18:40 Details Diff |
Fix 0012607: LFI/PD/XSS in upgrade_unattended.php This is a backport of the fix applied to the 1.2.x and 1.3.x branches. Gjoko Krstic of Zero Science Lab has kindly reported in detail a number of vulnerabilities in the admin/upgrade_unattended.php script. Earlier patches by Victor Boctor (MantisBT developer) resolved the issue. This patch enhances those changes to strengthen the security of this script even further. Please note that the "admin" directory SHOULD BE DELETED AFTER INSTALLATION on all live instances of MantisBT. |
Affected Issues 0012607 |
|
mod - admin/upgrade_unattended.php | Diff File | ||
MantisBT: master 065c99c3 2010-12-14 18:56 Details Diff |
Fix 0012607: Update installation instructions regarding admin directory The /admin/ directory should be removed after installation or upgrading of MantisBT. The installation instructions did not state this requirement and therefore it was quite easy for users to leave this potentially dangerous directory in place on live installations of MantisBT connected to the Internet. |
Affected Issues 0012607 |
|
mod - doc/INSTALL | Diff File | ||
MantisBT: master-1.2.x 54aace93 2010-12-14 18:56 Details Diff |
Fix 0012607: Update installation instructions regarding admin directory The /admin/ directory should be removed after installation or upgrading of MantisBT. The installation instructions did not state this requirement and therefore it was quite easy for users to leave this potentially dangerous directory in place on live installations of MantisBT connected to the Internet. |
Affected Issues 0012607 |
|
mod - doc/INSTALL | Diff File | ||
MantisBT: master 970630aa 2010-12-14 19:16 Details Diff |
Fix 0012607: Improve admin directory check on login_page The warning on login_page.php for the /admin/ directory would sometimes not appear even if files within the /admin/ directory were accessible. This check has been improved to be more pedantic and better suited to cross-platform environments. |
Affected Issues 0012607 |
|
mod - login_page.php | Diff File | ||
MantisBT: master-1.2.x 77de6770 2010-12-14 19:16 Details Diff |
Fix 0012607: Improve admin directory check on login_page The warning on login_page.php for the /admin/ directory would sometimes not appear even if files within the /admin/ directory were accessible. This check has been improved to be more pedantic and better suited to cross-platform environments. |
Affected Issues 0012607 |
|
mod - login_page.php | Diff File | ||
MantisBT: master 987ec693 2010-12-25 04:00 Details Diff |
Fix 0012607: Remove unnecessary semi colon from Content-Type header |
Affected Issues 0012607 |
|
mod - admin/upgrade_unattended.php | Diff File | ||
MantisBT: master-1.2.x e534936e 2010-12-25 04:00 Details Diff |
Fix 0012607: Remove unnecessary semi colon from Content-Type header |
Affected Issues 0012607 |
|
mod - admin/upgrade_unattended.php | Diff File |