View Issue Details

IDProjectCategoryView StatusLast Update
0012607mantisbtsecuritypublic2010-12-17 04:39
Reportervboctor Assigned Tovboctor  
PriorityimmediateSeverityblockReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.2.4 
Target Version1.2.4Fixed in Version1.2.4 
Summary0012607: LFI/FD and XSS in the 'upgrade_unattended.php'
Description

Thanks for responding so quickly. It's about LFI/FD and XSS in the 'upgrade_unattended.php' script thru "db_type" parameter.

XSS: http://[MANTIS_ROOT_HOST]/admin/upgrade_unattended.php?db_type=%3Cscript%3Ealert%281%29%3C/script%3E

LFI: http://[MANTIS_ROOT_HOST]/admin/upgrade_unattended.php?db_type=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00

PATH DISCLOSURE: http://[MANTIS_ROOT_HOST]/admin/upgrade_unattended.php?db_type=%27

The date is added as a vendor contact date.
I'm expecting you to verify the issues and acknowledge/credit Zero Science Lab for these findings. After confirmation, scheduled patch release date is expected.

Thank you and best regards,

Gjoko Krstic
Information Security Engineer

Zero Science Lab
Macedonian Information Security Research & Development Laboratory
http://www.zeroscience.mk

TagsNo tags attached.

Activities

dhx

dhx

2010-12-14 03:52

reporter   ~0027590

What is the purpose of this script?

Gialuca mentioned to me on IRC that it may have originally been targeted towards upgrades from PHP CLI (for distribution package management scripts). This seems highly unlikely to work given that this script calls gpc_ functions that will not work in CLI mode ($_POST and $_GET are undefined). However I think his guess may have been close because this script returns plaintext output as opposed to HTML.

If there is no longer a legitimate use for this script, can we remove it entirely?

dhx

dhx

2010-12-14 04:24

reporter   ~0027591

I am unable to reproduce the XSS and LFI bugs using the prepatched version of 1.2.3 (and by extension, 1.3.x). Looking at the source code the most likely issue is with ADOdb itself. The version of ADOdb shipped with MantisBT 1.2.3 and 1.3.x will take the user supplied "db_type" parameter and place it directly in the following string:

/library/adodb/drivers/adodb-${db_type}.inc.php

Directory traversal shouldn't be possible because the directory starting "adodb-" won't match a directory (only a file, at best).

XSS shouldn't be an issue for most browsers as the page is returned as plaintext (not HTML). I imagine this is still an issue in Internet Explorer where MIME type sniffing is performed by default (and could treat the page as HTML instead of plaintext).

I have confirmed the path disclosure issue (fixed in Victor's patches).

dhx

dhx

2010-12-14 04:46

reporter   ~0027592

Sorry, the XSS issue is confirmed in Chromium 9.0.597.16 but not Firefox 4.0b8pre (2010-12-13). I suspect Internet Explorer (all versions) is also affected because of the MIME type sniffing that goes on.

dhx

dhx

2010-12-14 19:46

reporter   ~0027599

I've put some more patches in place in relation to documentation of the /admin/ directory and the warning we throw on login_page.php if that directory still exists.

I also updated Victor's patch to be a little bit more pedantic. For instance, returning the text/plain MIME type instead of text/html. And whitelisting certain characters [a-zA-Z0-9_] for db_type as opposed to using string_attribute (which is a bit looser).

I think this is well and truly fixed now :)

dhx

dhx

2010-12-14 20:34

reporter   ~0027602

Please note that all 3 vulnerabilities can be reproduced on most platforms. I think the LFI depends on the web server being used as it is reproducible on Apache but I haven't had success with nginx. The XSS will generally work in every browser however Firefox 4.0b8pre has stricter MIME type handling and doesn't seem to be affected. The PD is reproducible everywhere.

1.2.4 is ready to be packaged and released.

Advisories have been written by Gjoko Krstic and are also ready for release.

I am on standby to report these bugs to Debian, Redhat, Gentoo, Ubuntu, Fedora, etc. Only Gentoo uses MantisBT 1.2.x so I'll make sure I send the 1.1.x patch to the other distros.

dhx

dhx

2010-12-14 21:49

reporter   ~0027603

1.2.4 tarballs have been released (thanks John for the quick turnaround). Advisories are on the way out. This issue is now publicly viewable.

dhx

dhx

2010-12-14 22:52

reporter   ~0027604

http://bugs.gentoo.org/show_bug.cgi?id=348761

https://bugzilla.redhat.com/show_bug.cgi?id=663230

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607159

https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482

giallu

giallu

2010-12-15 05:44

reporter   ~0027607

Replying to first comment: yes, I think we can remove this script from the repository

dhx

dhx

2010-12-16 20:00

reporter   ~0027626

CVE-2010-4348: Cross site scripting
CVE-2010-4349: Path disclosure
CVE-2010-4350: Local file inclusion

Related Changesets

MantisBT: master-1.2.x c6295994

2010-12-14 03:00

vboctor


Details Diff
Fix 0012607: LFI/FD and XSS in the upgrade_unattended.php Affected Issues
0012607
mod - admin/upgrade_unattended.php Diff File

MantisBT: master 2af6e8dd

2010-12-14 03:00

vboctor


Details Diff
Fix 0012607: LFI/FD and XSS in the upgrade_unattended.php Affected Issues
0012607
mod - admin/upgrade_unattended.php Diff File

MantisBT: master-1.2.x 1efe5be6

2010-12-14 03:24

vboctor


Details Diff
Fix 0012607: LFI/FD and XSS in the upgrade_unattended.php - part 2 Affected Issues
0012607
mod - admin/upgrade_unattended.php Diff File

MantisBT: master 184a0f4a

2010-12-14 03:24

vboctor


Details Diff
Fix 0012607: LFI/FD and XSS in the upgrade_unattended.php - part 2 Affected Issues
0012607
mod - admin/upgrade_unattended.php Diff File

MantisBT: master 974e6da4

2010-12-14 18:40

dhx


Details Diff
Fix 0012607: LFI/PD/XSS in upgrade_unattended.php

Gjoko Krstic of Zero Science Lab has kindly reported in detail a number
of vulnerabilities in the admin/upgrade_unattended.php script.

Earlier patches by Victor Boctor (MantisBT developer) resolved the
issue. This patch enhances those changes to strengthen the security of
this script even further.

Please note that the "admin" directory SHOULD BE DELETED AFTER
INSTALLATION on all live instances of MantisBT.
Affected Issues
0012607
mod - admin/upgrade_unattended.php Diff File

MantisBT: master-1.2.x d67c4deb

2010-12-14 18:40

dhx


Details Diff
Fix 0012607: LFI/PD/XSS in upgrade_unattended.php

Gjoko Krstic of Zero Science Lab has kindly reported in detail a number
of vulnerabilities in the admin/upgrade_unattended.php script.

Earlier patches by Victor Boctor (MantisBT developer) resolved the
issue. This patch enhances those changes to strengthen the security of
this script even further.

Please note that the "admin" directory SHOULD BE DELETED AFTER
INSTALLATION on all live instances of MantisBT.
Affected Issues
0012607
mod - admin/upgrade_unattended.php Diff File

MantisBT: master-1.1.x 2641fdc6

2010-12-14 18:40

dhx


Details Diff
Fix 0012607: LFI/PD/XSS in upgrade_unattended.php

This is a backport of the fix applied to the 1.2.x and 1.3.x branches.

Gjoko Krstic of Zero Science Lab has kindly reported in detail a number
of vulnerabilities in the admin/upgrade_unattended.php script.

Earlier patches by Victor Boctor (MantisBT developer) resolved the
issue. This patch enhances those changes to strengthen the security of
this script even further.

Please note that the "admin" directory SHOULD BE DELETED AFTER
INSTALLATION on all live instances of MantisBT.
Affected Issues
0012607
mod - admin/upgrade_unattended.php Diff File

MantisBT: master 065c99c3

2010-12-14 18:56

dhx


Details Diff
Fix 0012607: Update installation instructions regarding admin directory

The /admin/ directory should be removed after installation or upgrading
of MantisBT. The installation instructions did not state this
requirement and therefore it was quite easy for users to leave this
potentially dangerous directory in place on live installations of
MantisBT connected to the Internet.
Affected Issues
0012607
mod - doc/INSTALL Diff File

MantisBT: master-1.2.x 54aace93

2010-12-14 18:56

dhx


Details Diff
Fix 0012607: Update installation instructions regarding admin directory

The /admin/ directory should be removed after installation or upgrading
of MantisBT. The installation instructions did not state this
requirement and therefore it was quite easy for users to leave this
potentially dangerous directory in place on live installations of
MantisBT connected to the Internet.
Affected Issues
0012607
mod - doc/INSTALL Diff File

MantisBT: master 970630aa

2010-12-14 19:16

dhx


Details Diff
Fix 0012607: Improve admin directory check on login_page

The warning on login_page.php for the /admin/ directory would sometimes
not appear even if files within the /admin/ directory were accessible.

This check has been improved to be more pedantic and better suited to
cross-platform environments.
Affected Issues
0012607
mod - login_page.php Diff File

MantisBT: master-1.2.x 77de6770

2010-12-14 19:16

dhx


Details Diff
Fix 0012607: Improve admin directory check on login_page

The warning on login_page.php for the /admin/ directory would sometimes
not appear even if files within the /admin/ directory were accessible.

This check has been improved to be more pedantic and better suited to
cross-platform environments.
Affected Issues
0012607
mod - login_page.php Diff File

MantisBT: master 987ec693

2010-12-25 04:00

dhx


Details Diff
Fix 0012607: Remove unnecessary semi colon from Content-Type header Affected Issues
0012607
mod - admin/upgrade_unattended.php Diff File

MantisBT: master-1.2.x e534936e

2010-12-25 04:00

dhx


Details Diff
Fix 0012607: Remove unnecessary semi colon from Content-Type header Affected Issues
0012607
mod - admin/upgrade_unattended.php Diff File