MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0013281mantisbtsecuritypublic2011-08-31 15:572013-04-06 09:23
Reporterhtbridge 
Assigned Todhx 
PriorityimmediateSeverityblockReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.7 
Target Version1.2.8Fixed in Version1.2.8 
Summary0013281: MantisBT Security Vulnerabilities Notification
DescriptionHello,

High-Tech Bridge Security Research Lab has discovered multiple security vulnerabilities in MantisBT.

Developers can contact us by email advisory (at) htbridge.ch for details.

Preview: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html [^]

For any questions related to this notification email - please visit our General Information & Disclosure Policy page: http://www.htbridge.ch/advisory/disclosure_policy.html [^]
Tags2.0.x check
Attached Files

- Relationships
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 
parent of 0013282closeddhx bug_actiongroup_ext_page.php does not properly sanitise action parameter before including local files 
parent of 0013283closeddhx bug_actiongroup_ext_page.php remote file inclusion: action parameter 
related to 0013191closedgrangeway XSS vulnerability dues to usage of PHP_SELF 

-  Notes
User avatar (0029607)
rombert (developer)
2011-08-31 16:02

Thanks for your report. This issue is now private and therefore accessible only to developers and yourself.

Can you please add the details of the vulnerabilities to this bug report?
User avatar (0029608)
htbridge (reporter)
2011-08-31 16:28

Our notification text for email:

High-Tech Bridge Security Research Lab has discovered multiple security vulnerabilities in your product - MantisBT.

Detailed description and all available details of the vulnerabilities is provided below in the email.

Please notify us by replying to this email when you release security update.

If you need more time to fix the vulnerabilities - please specify desired Public Disclosure date by replying to this email.

For any questions related to this notification email - please visit our General Information & Disclosure Policy page: https://www.htbridge.ch/advisory/disclosure_policy.html [^]

If you don't find an answer to your question there - please feel free to contact us by email: advisory@htbridge.ch

===============================================================

Vulnerability ID: HTB23045
Reference: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html [^]
Product: MantisBT
Vendor: www.mantisbt.org ( http://www.mantisbt.org/ [^] )
Vulnerable Version: 1.2.7. and probably prior
Tested Version: 1.2.7.
Public Disclosure: 21 September 2011
Vulnerability Type: Local File Inclusion, XSS
Risk level: High
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ [^] )

Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in MantisBT, which can be exploited to perform cross-site scripting, local file inclusion attacks.

1) Input passed via the "action" GET parameter to bug_actiongroup_ext_page.php & bug_actiongroup_page.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.

The following PoC code is available:

http://[host]/bug_actiongroup_ext_page.php?bug_arr[]=1&action=EXT_%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E [^]
http://[host]/bug_actiongroup_page.php?bug_arr[]=[ISSUE_ID]&action=EXT_%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E [^]

2) Input passed via the "action" GET parameter to bug_actiongroup_ext_page.php & bug_actiongroup_page.php is not properly verified before being used to include files.
This can be exploited to include arbitrary files from local resources via directory traversal sequences and URL-encoded NULL bytes.

http://[host]/bug_actiongroup_ext_page.php?bug_arr[]=1&action=EXT_/../../../../../../../etc/passwd%00 [^]
http://[host]/bug_actiongroup_page.php?bug_arr[]=[ISSUE_ID]&action=EXT_/../../../../../../../etc/passwd%00 [^]

3) Input appended to the URL after manage_config_email_page.php & manage_config_workflow_page.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.

http://[host]/manage_config_email_page.php/%22%3E%3Cimg%20src=1%20onerror=%22javascript:alert%28document.cookie%29;%22%3E/ [^]
http://[host]/manage_config_workflow_page.php/%22%3E%3Cimg%20src=1%20onerror=%22javascript:alert%28document.cookie%29;%22%3E/ [^]

4) Input passed via the "platform", "os", "os_build", GET parameter to bug_report_page.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.

http://[host]/bug_report_page.php?platform=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E [^]
===============================================================

Best regards,

High-Tech Bridge SA Security Research Lab
User avatar (0029610)
rombert (developer)
2011-08-31 16:36

Thank you.
User avatar (0029634)
dhx (developer)
2011-09-03 23:47

Issues (1) and (2) have been fixed by Paul's recent commits (and my backports to the 1.2.x branch).

Issue (3) was reported a while ago by Paulino Calderon <calderon@websec.mx> in issue 0013191 but has yet to be fixed. Paul has committed a patch that resolves the issue.

Issue (4) has been fixed as well (it only impacts the master-1.2.x branch).
User avatar (0029636)
dhx (developer)
2011-09-03 23:56

All issues should now be corrected in both 1.2.x and master branches.

@High-Tech Bridge Security Research Lab: thanks for taking the time to test MantisBT and provide an informative notification to the MantisBT developers.

@grangeway/Paul: thanks for pushing your patches!

I'll arrange for a 1.2.8 release with John ASAP, request CVE numbers from oss-sec and notify distributions that they need to update their copies of MantisBT.
User avatar (0036405)
grangeway (developer)
2013-04-05 17:57

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

- Related Changesets
MantisBT: master a908cc61
Timestamp: 2011-08-29 09:43:23
Author: Paul Richards
Details ] Diff ]
Rework the bug action group api such that we can easily convert this to an object in the future, and to validate calls to require once.

This leads to a security issue identified by IBM's Appscan program, whereby calls to require_once are not validated.
Depending on webserver configuration, this is a file inclusion vulnerability.

There will be a follow up commit to config api - probably:
- if( $g_project_override != null ) {
+ if( $g_project_override != null && $p_project == null ) {

At the moment, the action group API calls config_get with a project parameter to use. This is ignored, due to project_override being set - so we either need to:
a) change project override within the command list function
b) modifify config api to only use the project override *if* it is attempting to look up information on the default project.
mod - bug_actiongroup_add_note_inc.php Diff ] File ]
mod - bug_actiongroup_attach_tags_inc.php Diff ] File ]
mod - bug_actiongroup_ext.php Diff ] File ]
mod - bug_actiongroup_ext_page.php Diff ] File ]
mod - bug_actiongroup_page.php Diff ] File ]
mod - bug_actiongroup_update_product_build_inc.php Diff ] File ]
mod - bug_actiongroup_update_severity_inc.php Diff ] File ]
mod - core/bug_group_action_api.php Diff ] File ]
MantisBT: master-1.2.x 5b93161f
Timestamp: 2011-08-29 09:43:23
Author: Paul Richards
Committer: dhx
Details ] Diff ]
Rework the bug action group api such that we can easily convert this to an object in the future, and to validate calls to require once.

This leads to a security issue identified by IBM's Appscan program, whereby calls to require_once are not validated.
Depending on webserver configuration, this is a file inclusion vulnerability.

There will be a follow up commit to config api - probably:
- if( $g_project_override != null ) {
+ if( $g_project_override != null && $p_project == null ) {

At the moment, the action group API calls config_get with a project parameter to use. This is ignored, due to project_override being set - so we either need to:
a) change project override within the command list function
b) modifify config api to only use the project override *if* it is attempting to look up information on the default project.

Backported from master-1.2.x branch. Note that this commit relies upon
commit 6dc35105064e5a2533fb4e1de54426ea17d2ef36 from the master branch
(that hadn't been backported to 1.2.x).

Conflicts:
  bug_actiongroup_ext.php
  bug_actiongroup_ext_page.php
  bug_actiongroup_page.php
  core/bug_group_action_api.php

Signed-off-by: David Hicks <d@hx.id.au>
mod - bug_actiongroup_ext.php Diff ] File ]
mod - bug_actiongroup_ext_page.php Diff ] File ]
mod - bug_actiongroup_page.php Diff ] File ]
mod - core/bug_group_action_api.php Diff ] File ]
MantisBT: master 57c94485
Timestamp: 2011-08-29 10:55:14
Author: Paul Richards
Details ] Diff ]
Fix issue introduced previously whereby php_Self is now used unchecked.

introduced previously by john attempting to fix symlinks. Since we now use php 5.2, we can make use of filter_var.

This is a simpler version of what we were trying to do previously aka http://git.mantisforge.org/w/mantisbt.git?a=commitdiff;h=5ac1fdf32717d0c82cca7e7660dd4fd316a6a1b8 [^]

Depending on server/mantis config this can lead to XSS issues
mod - config_defaults_inc.php Diff ] File ]
MantisBT: master-1.2.x d00745f5
Timestamp: 2011-08-29 10:55:14
Author: Paul Richards
Committer: dhx
Details ] Diff ]
Fix issue introduced previously whereby php_Self is now used unchecked.

introduced previously by john attempting to fix symlinks. Since we now use php 5.2, we can make use of filter_var.

This is a simpler version of what we were trying to do previously aka http://git.mantisforge.org/w/mantisbt.git?a=commitdiff;h=5ac1fdf32717d0c82cca7e7660dd4fd316a6a1b8 [^]

Depending on server/mantis config this can lead to XSS issues

David: Backported from master branch and removed unreachable code branch.

Signed-off-by: David Hicks <d@hx.id.au>
mod - config_defaults_inc.php Diff ] File ]
MantisBT: master-1.2.x 0a636b37
Timestamp: 2011-09-03 20:36:59
Author: dhx
Details ] Diff ]
Issue 0013281: Fix Projax XSS issues (unescaped value attributes)

Projax sucks. This is why it was replaced with jQuery in the master
branch. However master-1.2.x still uses the older Projax code. The
Projax library doesn't attempt to escape values before dumping them in
HTML output, thus leading to XSS issues.

The easiest workaround is to pass in already-escaped values to the
Projax functions.

This issue was reported by High-Tech Bridge SA Security Research Lab as
part of their advisory #HTB23045, available at
https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html [^]
mod - bug_report_page.php Diff ] File ]
mod - bug_update_advanced_page.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2011-08-31 15:57 htbridge New Issue
2011-08-31 16:01 rombert View Status public => private
2011-08-31 16:02 rombert Note Added: 0029607
2011-08-31 16:28 htbridge Note Added: 0029608
2011-08-31 16:36 rombert Note Added: 0029610
2011-08-31 16:36 rombert Priority normal => urgent
2011-08-31 16:36 rombert Status new => confirmed
2011-08-31 16:36 rombert Target Version => 1.2.8
2011-08-31 16:36 rombert Description Updated View Revisions
2011-09-01 05:46 dhx Assigned To => dhx
2011-09-01 05:46 dhx Status confirmed => assigned
2011-09-01 05:47 dhx Priority urgent => immediate
2011-09-01 05:47 dhx Severity major => block
2011-09-01 05:47 dhx Reproducibility have not tried => always
2011-09-01 05:47 dhx Description Updated View Revisions
2011-09-01 06:23 dhx Relationship added parent of 0013282
2011-09-01 06:23 dhx Relationship added parent of 0013283
2011-09-03 23:42 dhx Changeset attached => MantisBT master-1.2.x 0a636b37
2011-09-03 23:44 dhx Relationship added related to 0013191
2011-09-03 23:47 dhx Note Added: 0029634
2011-09-03 23:48 dhx Changeset attached => MantisBT master-1.2.x d00745f5
2011-09-03 23:49 dhx Changeset attached => MantisBT master 57c94485
2011-09-03 23:51 dhx Changeset attached => MantisBT master-1.2.x 5b93161f
2011-09-03 23:51 dhx Changeset attached => MantisBT master a908cc61
2011-09-03 23:56 dhx Note Added: 0029636
2011-09-03 23:56 dhx Status assigned => resolved
2011-09-03 23:56 dhx Fixed in Version => 1.2.8
2011-09-03 23:56 dhx Resolution open => fixed
2011-09-04 00:01 dhx View Status private => public
2011-09-06 10:34 jreese Status resolved => closed
2013-04-05 17:57 grangeway Status closed => acknowledged
2013-04-05 17:57 grangeway Note Added: 0036405
2013-04-05 18:12 grangeway Relationship added related to 0015721
2013-04-06 03:43 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.1433 seconds.
memory usage: 3,161 KB
Powered by Mantis Bugtracker