MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0012607mantisbtsecuritypublic2010-12-14 02:432010-12-17 04:39
Reportervboctor 
Assigned Tovboctor 
PriorityimmediateSeverityblockReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.4 
Target Version1.2.4Fixed in Version1.2.4 
Summary0012607: LFI/FD and XSS in the 'upgrade_unattended.php'
DescriptionThanks for responding so quickly. It's about LFI/FD and XSS in the 'upgrade_unattended.php' script thru "db_type" parameter.

XSS: http://[MANTIS_ROOT_HOST]/admin/upgrade_unattended.php?db_type=%3Cscript%3Ealert%281%29%3C/script%3E [^]

LFI: http://[MANTIS_ROOT_HOST]/admin/upgrade_unattended.php?db_type=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00 [^]

PATH DISCLOSURE: http://[MANTIS_ROOT_HOST]/admin/upgrade_unattended.php?db_type=%27 [^]

The date is added as a vendor contact date.
 I'm expecting you to verify the issues and acknowledge/credit Zero Science Lab for these findings. After confirmation, scheduled patch release date is expected.

Thank you and best regards,

Gjoko Krstic
Information Security Engineer

Zero Science Lab
Macedonian Information Security Research & Development Laboratory
http://www.zeroscience.mk [^]
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
User avatar (0027590)
dhx (developer)
2010-12-14 03:52

What is the purpose of this script?

Gialuca mentioned to me on IRC that it may have originally been targeted towards upgrades from PHP CLI (for distribution package management scripts). This seems highly unlikely to work given that this script calls gpc_ functions that will not work in CLI mode ($_POST and $_GET are undefined). However I think his guess may have been close because this script returns plaintext output as opposed to HTML.

If there is no longer a legitimate use for this script, can we remove it entirely?
User avatar (0027591)
dhx (developer)
2010-12-14 04:24

I am unable to reproduce the XSS and LFI bugs using the prepatched version of 1.2.3 (and by extension, 1.3.x). Looking at the source code the most likely issue is with ADOdb itself. The version of ADOdb shipped with MantisBT 1.2.3 and 1.3.x will take the user supplied "db_type" parameter and place it directly in the following string:

/library/adodb/drivers/adodb-${db_type}.inc.php

Directory traversal shouldn't be possible because the directory starting "adodb-" won't match a directory (only a file, at best).

XSS shouldn't be an issue for most browsers as the page is returned as plaintext (not HTML). I imagine this is still an issue in Internet Explorer where MIME type sniffing is performed by default (and could treat the page as HTML instead of plaintext).

I have confirmed the path disclosure issue (fixed in Victor's patches).
User avatar (0027592)
dhx (developer)
2010-12-14 04:46

Sorry, the XSS issue is confirmed in Chromium 9.0.597.16 but not Firefox 4.0b8pre (2010-12-13). I suspect Internet Explorer (all versions) is also affected because of the MIME type sniffing that goes on.
User avatar (0027599)
dhx (developer)
2010-12-14 19:46

I've put some more patches in place in relation to documentation of the /admin/ directory and the warning we throw on login_page.php if that directory still exists.

I also updated Victor's patch to be a little bit more pedantic. For instance, returning the text/plain MIME type instead of text/html. And whitelisting certain characters [a-zA-Z0-9_] for db_type as opposed to using string_attribute (which is a bit looser).

I think this is well and truly fixed now :)
User avatar (0027602)
dhx (developer)
2010-12-14 20:34

Please note that all 3 vulnerabilities can be reproduced on most platforms. I think the LFI depends on the web server being used as it is reproducible on Apache but I haven't had success with nginx. The XSS will generally work in every browser however Firefox 4.0b8pre has stricter MIME type handling and doesn't seem to be affected. The PD is reproducible everywhere.

1.2.4 is ready to be packaged and released.

Advisories have been written by Gjoko Krstic and are also ready for release.

I am on standby to report these bugs to Debian, Redhat, Gentoo, Ubuntu, Fedora, etc. Only Gentoo uses MantisBT 1.2.x so I'll make sure I send the 1.1.x patch to the other distros.
User avatar (0027603)
dhx (developer)
2010-12-14 21:49

1.2.4 tarballs have been released (thanks John for the quick turnaround). Advisories are on the way out. This issue is now publicly viewable.
User avatar (0027604)
dhx (developer)
2010-12-14 22:52

http://bugs.gentoo.org/show_bug.cgi?id=348761 [^]

https://bugzilla.redhat.com/show_bug.cgi?id=663230 [^]

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607159 [^]

https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482 [^]
User avatar (0027607)
giallu (developer)
2010-12-15 05:44

Replying to first comment: yes, I think we can remove this script from the repository
User avatar (0027626)
dhx (developer)
2010-12-16 20:00

CVE-2010-4348: Cross site scripting
CVE-2010-4349: Path disclosure
CVE-2010-4350: Local file inclusion

- Related Changesets
MantisBT: master-1.2.x c6295994
Timestamp: 2010-12-14 08:00:48
Author: vboctor
Details ] Diff ]
Fix 0012607: LFI/FD and XSS in the upgrade_unattended.php
mod - admin/upgrade_unattended.php Diff ] File ]
MantisBT: master 2af6e8dd
Timestamp: 2010-12-14 08:00:48
Author: vboctor
Details ] Diff ]
Fix 0012607: LFI/FD and XSS in the upgrade_unattended.php
mod - admin/upgrade_unattended.php Diff ] File ]
MantisBT: master-1.2.x 1efe5be6
Timestamp: 2010-12-14 08:24:58
Author: vboctor
Details ] Diff ]
Fix 0012607: LFI/FD and XSS in the upgrade_unattended.php - part 2
mod - admin/upgrade_unattended.php Diff ] File ]
MantisBT: master 184a0f4a
Timestamp: 2010-12-14 08:24:58
Author: vboctor
Details ] Diff ]
Fix 0012607: LFI/FD and XSS in the upgrade_unattended.php - part 2
mod - admin/upgrade_unattended.php Diff ] File ]
MantisBT: master 974e6da4
Timestamp: 2010-12-14 23:40:32
Author: dhx
Details ] Diff ]
Fix 0012607: LFI/PD/XSS in upgrade_unattended.php

Gjoko Krstic of Zero Science Lab has kindly reported in detail a number
of vulnerabilities in the admin/upgrade_unattended.php script.

Earlier patches by Victor Boctor (MantisBT developer) resolved the
issue. This patch enhances those changes to strengthen the security of
this script even further.

Please note that the "admin" directory SHOULD BE DELETED AFTER
INSTALLATION on all live instances of MantisBT.
mod - admin/upgrade_unattended.php Diff ] File ]
MantisBT: master-1.2.x d67c4deb
Timestamp: 2010-12-14 23:40:32
Author: dhx
Details ] Diff ]
Fix 0012607: LFI/PD/XSS in upgrade_unattended.php

Gjoko Krstic of Zero Science Lab has kindly reported in detail a number
of vulnerabilities in the admin/upgrade_unattended.php script.

Earlier patches by Victor Boctor (MantisBT developer) resolved the
issue. This patch enhances those changes to strengthen the security of
this script even further.

Please note that the "admin" directory SHOULD BE DELETED AFTER
INSTALLATION on all live instances of MantisBT.
mod - admin/upgrade_unattended.php Diff ] File ]
MantisBT: master-1.1.x 2641fdc6
Timestamp: 2010-12-14 23:40:32
Author: dhx
Details ] Diff ]
Fix 0012607: LFI/PD/XSS in upgrade_unattended.php

This is a backport of the fix applied to the 1.2.x and 1.3.x branches.

Gjoko Krstic of Zero Science Lab has kindly reported in detail a number
of vulnerabilities in the admin/upgrade_unattended.php script.

Earlier patches by Victor Boctor (MantisBT developer) resolved the
issue. This patch enhances those changes to strengthen the security of
this script even further.

Please note that the "admin" directory SHOULD BE DELETED AFTER
INSTALLATION on all live instances of MantisBT.
mod - admin/upgrade_unattended.php Diff ] File ]
MantisBT: master 065c99c3
Timestamp: 2010-12-14 23:56:46
Author: dhx
Details ] Diff ]
Fix 0012607: Update installation instructions regarding admin directory

The /admin/ directory should be removed after installation or upgrading
of MantisBT. The installation instructions did not state this
requirement and therefore it was quite easy for users to leave this
potentially dangerous directory in place on live installations of
MantisBT connected to the Internet.
mod - doc/INSTALL Diff ] File ]
MantisBT: master-1.2.x 54aace93
Timestamp: 2010-12-14 23:56:46
Author: dhx
Details ] Diff ]
Fix 0012607: Update installation instructions regarding admin directory

The /admin/ directory should be removed after installation or upgrading
of MantisBT. The installation instructions did not state this
requirement and therefore it was quite easy for users to leave this
potentially dangerous directory in place on live installations of
MantisBT connected to the Internet.
mod - doc/INSTALL Diff ] File ]
MantisBT: master 970630aa
Timestamp: 2010-12-15 00:16:40
Author: dhx
Details ] Diff ]
Fix 0012607: Improve admin directory check on login_page

The warning on login_page.php for the /admin/ directory would sometimes
not appear even if files within the /admin/ directory were accessible.

This check has been improved to be more pedantic and better suited to
cross-platform environments.
mod - login_page.php Diff ] File ]
MantisBT: master-1.2.x 77de6770
Timestamp: 2010-12-15 00:16:40
Author: dhx
Details ] Diff ]
Fix 0012607: Improve admin directory check on login_page

The warning on login_page.php for the /admin/ directory would sometimes
not appear even if files within the /admin/ directory were accessible.

This check has been improved to be more pedantic and better suited to
cross-platform environments.
mod - login_page.php Diff ] File ]
MantisBT: master 987ec693
Timestamp: 2010-12-25 09:00:34
Author: dhx
Details ] Diff ]
Fix 0012607: Remove unnecessary semi colon from Content-Type header
mod - admin/upgrade_unattended.php Diff ] File ]
MantisBT: master-1.2.x e534936e
Timestamp: 2010-12-25 09:00:34
Author: dhx
Details ] Diff ]
Fix 0012607: Remove unnecessary semi colon from Content-Type header
mod - admin/upgrade_unattended.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2010-12-14 02:43 vboctor New Issue
2010-12-14 03:00 vboctor Changeset attached => MantisBT master-1.2.x c6295994
2010-12-14 03:00 vboctor Assigned To => vboctor
2010-12-14 03:00 vboctor Resolution open => fixed
2010-12-14 03:00 vboctor Fixed in Version => 1.2.4
2010-12-14 03:01 vboctor Changeset attached => MantisBT master 2af6e8dd
2010-12-14 03:25 vboctor Changeset attached => MantisBT master-1.2.x 1efe5be6
2010-12-14 03:25 vboctor Changeset attached => MantisBT master 184a0f4a
2010-12-14 03:52 dhx Note Added: 0027590
2010-12-14 04:24 dhx Note Added: 0027591
2010-12-14 04:24 dhx Status new => feedback
2010-12-14 04:46 dhx Note Added: 0027592
2010-12-14 18:51 dhx Changeset attached => MantisBT master 974e6da4
2010-12-14 18:51 dhx Changeset attached => MantisBT master-1.2.x d67c4deb
2010-12-14 18:58 dhx Changeset attached => MantisBT master-1.1.x 2641fdc6
2010-12-14 19:07 dhx Changeset attached => MantisBT master 065c99c3
2010-12-14 19:07 dhx Changeset attached => MantisBT master-1.2.x 54aace93
2010-12-14 19:26 dhx Changeset attached => MantisBT master 970630aa
2010-12-14 19:26 dhx Changeset attached => MantisBT master-1.2.x 77de6770
2010-12-14 19:46 dhx Note Added: 0027599
2010-12-14 19:46 dhx Priority normal => immediate
2010-12-14 19:46 dhx Severity minor => block
2010-12-14 19:46 dhx Product Version => 1.2.4
2010-12-14 19:47 dhx Status feedback => resolved
2010-12-14 20:34 dhx Note Added: 0027602
2010-12-14 21:48 dhx View Status private => public
2010-12-14 21:49 dhx Note Added: 0027603
2010-12-14 22:52 dhx Note Added: 0027604
2010-12-15 05:44 giallu Note Added: 0027607
2010-12-16 20:00 dhx Note Added: 0027626
2010-12-17 04:39 vboctor Status resolved => closed
2010-12-25 04:11 dhx Changeset attached => MantisBT master 987ec693
2010-12-25 04:11 dhx Changeset attached => MantisBT master-1.2.x e534936e


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.1410 seconds.
memory usage: 3,166 KB
Powered by Mantis Bugtracker