| Anonymous | Login | Signup for a new account | 2013-06-19 13:50 EDT |  |
| Main | My View | View Issues | Change Log | Roadmap | Wiki | ManTweet | Repositories |
| View Issue Details [ Jump to Notes ] [ Wiki ] [ Related Changesets ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0012607 | mantisbt | security | public | 2010-12-14 02:43 | 2010-12-17 04:39 | ||||
| Reporter | vboctor | ||||||||
| Assigned To | vboctor | ||||||||
| Priority | immediate | Severity | block | Reproducibility | have not tried | ||||
| Status | closed | Resolution | fixed | ||||||
| Platform | OS | OS Version | |||||||
| Product Version | 1.2.4 | ||||||||
| Target Version | 1.2.4 | Fixed in Version | 1.2.4 | ||||||
| Summary | 0012607: LFI/FD and XSS in the 'upgrade_unattended.php' | ||||||||
| Description | Thanks for responding so quickly. It's about LFI/FD and XSS in the 'upgrade_unattended.php' script thru "db_type" parameter. XSS: http://[MANTIS_ROOT_HOST]/admin/upgrade_unattended.php?db_type=%3Cscript%3Ealert%281%29%3C/script%3E [^] LFI: http://[MANTIS_ROOT_HOST]/admin/upgrade_unattended.php?db_type=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00 [^] PATH DISCLOSURE: http://[MANTIS_ROOT_HOST]/admin/upgrade_unattended.php?db_type=%27 [^] The date is added as a vendor contact date. I'm expecting you to verify the issues and acknowledge/credit Zero Science Lab for these findings. After confirmation, scheduled patch release date is expected. Thank you and best regards, Gjoko Krstic Information Security Engineer Zero Science Lab Macedonian Information Security Research & Development Laboratory http://www.zeroscience.mk [^] | ||||||||
| Tags | No tags attached. | ||||||||
| Attached Files | |||||||||
 Relationships |
|
 Relationships |
|
Notes |
|
 (0027590)dhx (developer) 2010-12-14 03:52 |
What is the purpose of this script? Gialuca mentioned to me on IRC that it may have originally been targeted towards upgrades from PHP CLI (for distribution package management scripts). This seems highly unlikely to work given that this script calls gpc_ functions that will not work in CLI mode ($_POST and $_GET are undefined). However I think his guess may have been close because this script returns plaintext output as opposed to HTML. If there is no longer a legitimate use for this script, can we remove it entirely? |
|
(0027591) dhx (developer) 2010-12-14 04:24 |
I am unable to reproduce the XSS and LFI bugs using the prepatched version of 1.2.3 (and by extension, 1.3.x). Looking at the source code the most likely issue is with ADOdb itself. The version of ADOdb shipped with MantisBT 1.2.3 and 1.3.x will take the user supplied "db_type" parameter and place it directly in the following string: /library/adodb/drivers/adodb-${db_type}.inc.php Directory traversal shouldn't be possible because the directory starting "adodb-" won't match a directory (only a file, at best). XSS shouldn't be an issue for most browsers as the page is returned as plaintext (not HTML). I imagine this is still an issue in Internet Explorer where MIME type sniffing is performed by default (and could treat the page as HTML instead of plaintext). I have confirmed the path disclosure issue (fixed in Victor's patches). |
|
(0027592) dhx (developer) 2010-12-14 04:46 |
Sorry, the XSS issue is confirmed in Chromium 9.0.597.16 but not Firefox 4.0b8pre (2010-12-13). I suspect Internet Explorer (all versions) is also affected because of the MIME type sniffing that goes on. |
|
(0027599) dhx (developer) 2010-12-14 19:46 |
I've put some more patches in place in relation to documentation of the /admin/ directory and the warning we throw on login_page.php if that directory still exists. I also updated Victor's patch to be a little bit more pedantic. For instance, returning the text/plain MIME type instead of text/html. And whitelisting certain characters [a-zA-Z0-9_] for db_type as opposed to using string_attribute (which is a bit looser). I think this is well and truly fixed now :) |
|
(0027602) dhx (developer) 2010-12-14 20:34 |
Please note that all 3 vulnerabilities can be reproduced on most platforms. I think the LFI depends on the web server being used as it is reproducible on Apache but I haven't had success with nginx. The XSS will generally work in every browser however Firefox 4.0b8pre has stricter MIME type handling and doesn't seem to be affected. The PD is reproducible everywhere. 1.2.4 is ready to be packaged and released. Advisories have been written by Gjoko Krstic and are also ready for release. I am on standby to report these bugs to Debian, Redhat, Gentoo, Ubuntu, Fedora, etc. Only Gentoo uses MantisBT 1.2.x so I'll make sure I send the 1.1.x patch to the other distros. |
|
(0027603) dhx (developer) 2010-12-14 21:49 |
1.2.4 tarballs have been released (thanks John for the quick turnaround). Advisories are on the way out. This issue is now publicly viewable. |
|
(0027604) dhx (developer) 2010-12-14 22:52 |
http://bugs.gentoo.org/show_bug.cgi?id=348761 [^] https://bugzilla.redhat.com/show_bug.cgi?id=663230 [^] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607159 [^] https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482 [^] |
 (0027607)giallu (developer) 2010-12-15 05:44 |
Replying to first comment: yes, I think we can remove this script from the repository |
|
(0027626) dhx (developer) 2010-12-16 20:00 |
CVE-2010-4348: Cross site scripting CVE-2010-4349: Path disclosure CVE-2010-4350: Local file inclusion |
|
Notes |
| Related Changesets |
|||
|
MantisBT: master-1.2.x c6295994
Timestamp: 2010-12-14 08:00:48 Author: vboctor [ Details ] [ Diff ] |
Fix 0012607: LFI/FD and XSS in the upgrade_unattended.php | ||
| mod - admin/upgrade_unattended.php | [ Diff ] [ File ] | ||
|
MantisBT: master 2af6e8dd
Timestamp: 2010-12-14 08:00:48 Author: vboctor [ Details ] [ Diff ] |
Fix 0012607: LFI/FD and XSS in the upgrade_unattended.php | ||
| mod - admin/upgrade_unattended.php | [ Diff ] [ File ] | ||
|
MantisBT: master-1.2.x 1efe5be6
Timestamp: 2010-12-14 08:24:58 Author: vboctor [ Details ] [ Diff ] |
Fix 0012607: LFI/FD and XSS in the upgrade_unattended.php - part 2 | ||
| mod - admin/upgrade_unattended.php | [ Diff ] [ File ] | ||
|
MantisBT: master 184a0f4a
Timestamp: 2010-12-14 08:24:58 Author: vboctor [ Details ] [ Diff ] |
Fix 0012607: LFI/FD and XSS in the upgrade_unattended.php - part 2 | ||
| mod - admin/upgrade_unattended.php | [ Diff ] [ File ] | ||
|
MantisBT: master 974e6da4
Timestamp: 2010-12-14 23:40:32 Author: dhx [ Details ] [ Diff ] |
Fix 0012607: LFI/PD/XSS in upgrade_unattended.php Gjoko Krstic of Zero Science Lab has kindly reported in detail a number of vulnerabilities in the admin/upgrade_unattended.php script. Earlier patches by Victor Boctor (MantisBT developer) resolved the issue. This patch enhances those changes to strengthen the security of this script even further. Please note that the "admin" directory SHOULD BE DELETED AFTER INSTALLATION on all live instances of MantisBT. |
||
| mod - admin/upgrade_unattended.php | [ Diff ] [ File ] | ||
|
MantisBT: master-1.2.x d67c4deb
Timestamp: 2010-12-14 23:40:32 Author: dhx [ Details ] [ Diff ] |
Fix 0012607: LFI/PD/XSS in upgrade_unattended.php Gjoko Krstic of Zero Science Lab has kindly reported in detail a number of vulnerabilities in the admin/upgrade_unattended.php script. Earlier patches by Victor Boctor (MantisBT developer) resolved the issue. This patch enhances those changes to strengthen the security of this script even further. Please note that the "admin" directory SHOULD BE DELETED AFTER INSTALLATION on all live instances of MantisBT. |
||
| mod - admin/upgrade_unattended.php | [ Diff ] [ File ] | ||
|
MantisBT: master-1.1.x 2641fdc6
Timestamp: 2010-12-14 23:40:32 Author: dhx [ Details ] [ Diff ] |
Fix 0012607: LFI/PD/XSS in upgrade_unattended.php This is a backport of the fix applied to the 1.2.x and 1.3.x branches. Gjoko Krstic of Zero Science Lab has kindly reported in detail a number of vulnerabilities in the admin/upgrade_unattended.php script. Earlier patches by Victor Boctor (MantisBT developer) resolved the issue. This patch enhances those changes to strengthen the security of this script even further. Please note that the "admin" directory SHOULD BE DELETED AFTER INSTALLATION on all live instances of MantisBT. |
||
| mod - admin/upgrade_unattended.php | [ Diff ] [ File ] | ||
|
MantisBT: master 065c99c3
Timestamp: 2010-12-14 23:56:46 Author: dhx [ Details ] [ Diff ] |
Fix 0012607: Update installation instructions regarding admin directory The /admin/ directory should be removed after installation or upgrading of MantisBT. The installation instructions did not state this requirement and therefore it was quite easy for users to leave this potentially dangerous directory in place on live installations of MantisBT connected to the Internet. |
||
| mod - doc/INSTALL | [ Diff ] [ File ] | ||
|
MantisBT: master-1.2.x 54aace93
Timestamp: 2010-12-14 23:56:46 Author: dhx [ Details ] [ Diff ] |
Fix 0012607: Update installation instructions regarding admin directory The /admin/ directory should be removed after installation or upgrading of MantisBT. The installation instructions did not state this requirement and therefore it was quite easy for users to leave this potentially dangerous directory in place on live installations of MantisBT connected to the Internet. |
||
| mod - doc/INSTALL | [ Diff ] [ File ] | ||
|
MantisBT: master 970630aa
Timestamp: 2010-12-15 00:16:40 Author: dhx [ Details ] [ Diff ] |
Fix 0012607: Improve admin directory check on login_page The warning on login_page.php for the /admin/ directory would sometimes not appear even if files within the /admin/ directory were accessible. This check has been improved to be more pedantic and better suited to cross-platform environments. |
||
| mod - login_page.php | [ Diff ] [ File ] | ||
|
MantisBT: master-1.2.x 77de6770
Timestamp: 2010-12-15 00:16:40 Author: dhx [ Details ] [ Diff ] |
Fix 0012607: Improve admin directory check on login_page The warning on login_page.php for the /admin/ directory would sometimes not appear even if files within the /admin/ directory were accessible. This check has been improved to be more pedantic and better suited to cross-platform environments. |
||
| mod - login_page.php | [ Diff ] [ File ] | ||
|
MantisBT: master 987ec693
Timestamp: 2010-12-25 09:00:34 Author: dhx [ Details ] [ Diff ] |
Fix 0012607: Remove unnecessary semi colon from Content-Type header | ||
| mod - admin/upgrade_unattended.php | [ Diff ] [ File ] | ||
|
MantisBT: master-1.2.x e534936e
Timestamp: 2010-12-25 09:00:34 Author: dhx [ Details ] [ Diff ] |
Fix 0012607: Remove unnecessary semi colon from Content-Type header | ||
| mod - admin/upgrade_unattended.php | [ Diff ] [ File ] | ||
| Related Changesets |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2010-12-14 02:43 | vboctor | New Issue | |
| 2010-12-14 03:00 | vboctor | Changeset attached | => MantisBT master-1.2.x c6295994 |
| 2010-12-14 03:00 | vboctor | Assigned To | => vboctor |
| 2010-12-14 03:00 | vboctor | Resolution | open => fixed |
| 2010-12-14 03:00 | vboctor | Fixed in Version | => 1.2.4 |
| 2010-12-14 03:01 | vboctor | Changeset attached | => MantisBT master 2af6e8dd |
| 2010-12-14 03:25 | vboctor | Changeset attached | => MantisBT master-1.2.x 1efe5be6 |
| 2010-12-14 03:25 | vboctor | Changeset attached | => MantisBT master 184a0f4a |
| 2010-12-14 03:52 | dhx | Note Added: 0027590 | |
| 2010-12-14 04:24 | dhx | Note Added: 0027591 | |
| 2010-12-14 04:24 | dhx | Status | new => feedback |
| 2010-12-14 04:46 | dhx | Note Added: 0027592 | |
| 2010-12-14 18:51 | dhx | Changeset attached | => MantisBT master 974e6da4 |
| 2010-12-14 18:51 | dhx | Changeset attached | => MantisBT master-1.2.x d67c4deb |
| 2010-12-14 18:58 | dhx | Changeset attached | => MantisBT master-1.1.x 2641fdc6 |
| 2010-12-14 19:07 | dhx | Changeset attached | => MantisBT master 065c99c3 |
| 2010-12-14 19:07 | dhx | Changeset attached | => MantisBT master-1.2.x 54aace93 |
| 2010-12-14 19:26 | dhx | Changeset attached | => MantisBT master 970630aa |
| 2010-12-14 19:26 | dhx | Changeset attached | => MantisBT master-1.2.x 77de6770 |
| 2010-12-14 19:46 | dhx | Note Added: 0027599 | |
| 2010-12-14 19:46 | dhx | Priority | normal => immediate |
| 2010-12-14 19:46 | dhx | Severity | minor => block |
| 2010-12-14 19:46 | dhx | Product Version | => 1.2.4 |
| 2010-12-14 19:47 | dhx | Status | feedback => resolved |
| 2010-12-14 20:34 | dhx | Note Added: 0027602 | |
| 2010-12-14 21:48 | dhx | View Status | private => public |
| 2010-12-14 21:49 | dhx | Note Added: 0027603 | |
| 2010-12-14 22:52 | dhx | Note Added: 0027604 | |
| 2010-12-15 05:44 | giallu | Note Added: 0027607 | |
| 2010-12-16 20:00 | dhx | Note Added: 0027626 | |
| 2010-12-17 04:39 | vboctor | Status | resolved => closed |
| 2010-12-25 04:11 | dhx | Changeset attached | => MantisBT master 987ec693 |
| 2010-12-25 04:11 | dhx | Changeset attached | => MantisBT master-1.2.x e534936e |
|
Issue History |
| MantisBT 1.2.16dev master-1.2.x-05091f5 [^]
Copyright © 2000 - 2013 MantisBT Team
Time: 0.0960 seconds. memory usage: 2,948 KB |
|