MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0013245mantisbtsecuritypublic2011-08-18 08:332013-04-06 09:23
Reporteratrol 
Assigned Todhx 
PriorityimmediateSeverityblockReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.6 
Target Version1.2.7Fixed in Version1.2.7 
Summary0013245: Cross site scripting and remote SQL injection vulnerabilities
Description[ Vulnerable File ]

    http://127.0.0.1/path/search.php?project_id=[XSS] [^]

    http://127.0.0.1/path/core.php?mbadmin=[SQL] [^]

[ XpL ]

    http://127.0.0.1/path/search.php?project_id="><script>alert(0)</script> [^]

    http://127.0.0.1/path/core.php?mbadmin=2+Order+By+10-- [^]

See http://packetstormsecurity.org/files/104149 [^]
Tags2.0.x check
Attached Files

- Relationships
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 

-  Notes
User avatar (0029512)
dhx (developer)
2011-08-18 11:02

All fixed!
User avatar (0029513)
dhx (developer)
2011-08-18 12:33

Bug reports cross-posted elsewhere:

Gentoo: https://bugs.gentoo.org/show_bug.cgi?id=379739 [^]
Fedora/Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=731777 [^]
Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=638321 [^]
Ubuntu: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/828857 [^]


A notice/CVE request has also been sent to the oss-security mailing list.
User avatar (0036422)
grangeway (developer)
2013-04-05 17:57

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

- Related Changesets
MantisBT: master 7c8a564c
Timestamp: 2011-08-18 07:43:04
Author: dhx
Details ] Diff ]
Fix 0013245: XSS issues with search.php parameters

Net.Edit0r (Net.Edit0r@Att.net) from BlACK Hat Group
[http://black-hg.org [^]] posted a vulnerability report for an XSS issue in
search.php for MantisBT 1.2.6.

The full report is available at
http://packetstormsecurity.org/files/104149 [^]

filter_api.php is the culprit for this vulnerability as it passes user
supplied search parameters back into output without first escaping the
values.

It should be noted that numerous other XSS vulnerabilities (all related)
have been fixed with this patch. In other words, it is not just the
project_id parameter to search.php that was affected - it was numerous
other parameters/fields as well.

The second SQL injection vulnerability identified by Net.Edit0r is
invalid because the only time we ever make reference to "mbadmin" in the
source code is:

core.php:
if ( file_exists( 'mantis_offline.php' ) && !isset( $_GET['mbadmin'] ) )

This usage is safe because nothing is ever done with $_GET['mbadmin'].
It may be the case that the user's customised version of
mantis_offline.php was incorrectly dumping the value of $_GET['mbadmin']
to the screen. The default/sample mantis_offline.php has been checked
and does not print any dynamically created strings/user supplied values.

Conflicts:
    core/filter_api.php
mod - core/filter_api.php Diff ] File ]
MantisBT: master-1.2.x 317f3db3
Timestamp: 2011-08-18 07:43:04
Author: dhx
Details ] Diff ]
Fix 0013245: XSS issues with search.php parameters

Net.Edit0r (Net.Edit0r@Att.net) from BlACK Hat Group
[http://black-hg.org [^]] posted a vulnerability report for an XSS issue in
search.php for MantisBT 1.2.6.

The full report is available at
http://packetstormsecurity.org/files/104149 [^]

filter_api.php is the culprit for this vulnerability as it passes user
supplied search parameters back into output without first escaping the
values.

It should be noted that numerous other XSS vulnerabilities (all related)
have been fixed with this patch. In other words, it is not just the
project_id parameter to search.php that was affected - it was numerous
other parameters/fields as well.

The second SQL injection vulnerability identified by Net.Edit0r is
invalid because the only time we ever make reference to "mbadmin" in the
source code is:

core.php:
if ( file_exists( 'mantis_offline.php' ) && !isset( $_GET['mbadmin'] ) )

This usage is safe because nothing is ever done with $_GET['mbadmin'].
It may be the case that the user's customised version of
mantis_offline.php was incorrectly dumping the value of $_GET['mbadmin']
to the screen. The default/sample mantis_offline.php has been checked
and does not print any dynamically created strings/user supplied values.
mod - core/filter_api.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2011-08-18 08:33 atrol New Issue
2011-08-18 10:30 dhx Assigned To => dhx
2011-08-18 10:30 dhx Status new => assigned
2011-08-18 10:30 dhx Priority normal => immediate
2011-08-18 10:30 dhx Severity minor => block
2011-08-18 10:30 dhx Target Version => 1.2.7
2011-08-18 11:02 dhx Note Added: 0029512
2011-08-18 11:02 dhx Status assigned => resolved
2011-08-18 11:02 dhx Fixed in Version => 1.2.7
2011-08-18 11:02 dhx Resolution open => fixed
2011-08-18 11:02 dhx Changeset attached => MantisBT master 7c8a564c
2011-08-18 11:02 dhx View Status private => public
2011-08-18 11:15 dhx Changeset attached => MantisBT master-1.2.x 317f3db3
2011-08-18 12:33 dhx Note Added: 0029513
2011-08-22 10:49 jreese Status resolved => closed
2013-04-05 17:57 grangeway Status closed => acknowledged
2013-04-05 17:57 grangeway Note Added: 0036422
2013-04-05 18:11 grangeway Relationship added related to 0015721
2013-04-06 03:43 dregad Status acknowledged => closed
2013-04-06 07:22 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.0894 seconds.
memory usage: 3,076 KB
Powered by Mantis Bugtracker