View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0013281mantisbtsecuritypublic2011-08-31 15:572014-09-23 18:05
Reporterhtbridge Assigned Todhx  
PriorityimmediateSeverityblockReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.7 
Target Version1.2.8Fixed in Version1.2.8 
Summary0013281: MantisBT Security Vulnerabilities Notification
Description

Hello,

High-Tech Bridge Security Research Lab has discovered multiple security vulnerabilities in MantisBT.

Developers can contact us by email advisory (at) htbridge.ch for details.

Preview: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html

For any questions related to this notification email - please visit our General Information & Disclosure Policy page: http://www.htbridge.ch/advisory/disclosure_policy.html

TagsNo tags attached.

Relationships

related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 
parent of 0013282 closeddhx bug_actiongroup_ext_page.php does not properly sanitise action parameter before including local files 
parent of 0013283 closeddhx bug_actiongroup_ext_page.php remote file inclusion: action parameter 
related to 0013191 closedgrangeway XSS vulnerability dues to usage of PHP_SELF 

Activities

rombert

rombert

2011-08-31 16:02

reporter   ~0029607

Thanks for your report. This issue is now private and therefore accessible only to developers and yourself.

Can you please add the details of the vulnerabilities to this bug report?
htbridge

htbridge

2011-08-31 16:28

reporter   ~0029608

Our notification text for email:

High-Tech Bridge Security Research Lab has discovered multiple security vulnerabilities in your product - MantisBT.

Detailed description and all available details of the vulnerabilities is provided below in the email.

Please notify us by replying to this email when you release security update.

If you need more time to fix the vulnerabilities - please specify desired Public Disclosure date by replying to this email.

For any questions related to this notification email - please visit our General Information & Disclosure Policy page: https://www.htbridge.ch/advisory/disclosure_policy.html

If you don't find an answer to your question there - please feel free to contact us by email: advisory@htbridge.ch

===============================================================

Vulnerability ID: HTB23045
Reference: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html
Product: MantisBT
Vendor: www.mantisbt.org ( http://www.mantisbt.org/ )
Vulnerable Version: 1.2.7. and probably prior
Tested Version: 1.2.7.
Public Disclosure: 21 September 2011
Vulnerability Type: Local File Inclusion, XSS
Risk level: High
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )

Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in MantisBT, which can be exploited to perform cross-site scripting, local file inclusion attacks.

1) Input passed via the "action" GET parameter to bug_actiongroup_ext_page.php & bug_actiongroup_page.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.

The following PoC code is available:

http://[host]/bug_actiongroup_ext_page.php?bug_arr[]=1&action=EXT_%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://[host]/bug_actiongroup_page.php?bug_arr[]=[ISSUE_ID]&action=EXT_%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

2) Input passed via the "action" GET parameter to bug_actiongroup_ext_page.php & bug_actiongroup_page.php is not properly verified before being used to include files.
This can be exploited to include arbitrary files from local resources via directory traversal sequences and URL-encoded NULL bytes.

http://[host]/bug_actiongroup_ext_page.php?bug_arr[]=1&action=EXT_/../../../../../../../etc/passwd%00
http://[host]/bug_actiongroup_page.php?bug_arr[]=[ISSUE_ID]&action=EXT_/../../../../../../../etc/passwd%00

3) Input appended to the URL after manage_config_email_page.php & manage_config_workflow_page.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.

http://[host]/manage_config_email_page.php/%22%3E%3Cimg%20src=1%20onerror=%22javascript:alert%28document.cookie%29;%22%3E/
http://[host]/manage_config_workflow_page.php/%22%3E%3Cimg%20src=1%20onerror=%22javascript:alert%28document.cookie%29;%22%3E/

4) Input passed via the "platform", "os", "os_build", GET parameter to bug_report_page.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.

http://[host]/bug_report_page.php?platform=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

Best regards,

High-Tech Bridge SA Security Research Lab
rombert

rombert

2011-08-31 16:36

reporter   ~0029610

Thank you.
dhx

dhx

2011-09-03 23:47

reporter   ~0029634

Issues (1) and (2) have been fixed by Paul's recent commits (and my backports to the 1.2.x branch).

Issue (3) was reported a while ago by Paulino Calderon calderon@websec.mx in issue 0013191 but has yet to be fixed. Paul has committed a patch that resolves the issue.

Issue (4) has been fixed as well (it only impacts the master-1.2.x branch).
dhx

dhx

2011-09-03 23:56

reporter   ~0029636

All issues should now be corrected in both 1.2.x and master branches.

@High-Tech Bridge Security Research Lab: thanks for taking the time to test MantisBT and provide an informative notification to the MantisBT developers.

@grangeway/Paul: thanks for pushing your patches!

I'll arrange for a 1.2.8 release with John ASAP, request CVE numbers from oss-sec and notify distributions that they need to update their copies of MantisBT.
grangeway

grangeway

2013-04-05 17:57

reporter   ~0036405

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master a908cc61

2011-08-29 05:43

Paul Richards


Details Diff		 Rework the bug action group api such that we can easily convert this to an object in the future, and to validate calls to require once.

This leads to a security issue identified by IBM's Appscan program, whereby calls to require_once are not validated.
Depending on webserver configuration, this is a file inclusion vulnerability.

There will be a follow up commit to config api - probably:
- if( $g_project_override != null ) {
+ if( $g_project_override != null && $p_project == null ) {

At the moment, the action group API calls config_get with a project parameter to use. This is ignored, due to project_override being set - so we either need to:
a) change project override within the command list function
b) modifify config api to only use the project override *if* it is attempting to look up information on the default project.		 Affected Issues
0013281
mod - bug_actiongroup_add_note_inc.php Diff File
mod - bug_actiongroup_attach_tags_inc.php Diff File
mod - bug_actiongroup_ext.php Diff File
mod - bug_actiongroup_ext_page.php Diff File
mod - bug_actiongroup_page.php Diff File
mod - bug_actiongroup_update_product_build_inc.php Diff File
mod - bug_actiongroup_update_severity_inc.php Diff File
mod - core/bug_group_action_api.php Diff File

MantisBT: master-1.2.x 5b93161f

2011-08-29 05:43

Paul Richards

Committer: dhx


Details Diff		 Rework the bug action group api such that we can easily convert this to an object in the future, and to validate calls to require once.

This leads to a security issue identified by IBM's Appscan program, whereby calls to require_once are not validated.
Depending on webserver configuration, this is a file inclusion vulnerability.

There will be a follow up commit to config api - probably:
- if( $g_project_override != null ) {
+ if( $g_project_override != null && $p_project == null ) {

At the moment, the action group API calls config_get with a project parameter to use. This is ignored, due to project_override being set - so we either need to:
a) change project override within the command list function
b) modifify config api to only use the project override *if* it is attempting to look up information on the default project.

Backported from master-1.2.x branch. Note that this commit relies upon
commit 6dc35105064e5a2533fb4e1de54426ea17d2ef36 from the master branch
(that hadn't been backported to 1.2.x).

Conflicts:
bug_actiongroup_ext.php
bug_actiongroup_ext_page.php
bug_actiongroup_page.php
core/bug_group_action_api.php

Signed-off-by: David Hicks <d@hx.id.au>		 Affected Issues
0013281
mod - bug_actiongroup_ext.php Diff File
mod - bug_actiongroup_ext_page.php Diff File
mod - bug_actiongroup_page.php Diff File
mod - core/bug_group_action_api.php Diff File

MantisBT: master 57c94485

2011-08-29 06:55

Paul Richards


Details Diff		 Fix issue introduced previously whereby php_Self is now used unchecked.

introduced previously by john attempting to fix symlinks. Since we now use php 5.2, we can make use of filter_var.

This is a simpler version of what we were trying to do previously aka http://git.mantisforge.org/w/mantisbt.git?a=commitdiff;h=5ac1fdf32717d0c82cca7e7660dd4fd316a6a1b8

Depending on server/mantis config this can lead to XSS issues		 Affected Issues
0013191, 0013281
mod - config_defaults_inc.php Diff File

MantisBT: master-1.2.x d00745f5

2011-08-29 06:55

Paul Richards

Committer: dhx


Details Diff		 Fix issue introduced previously whereby php_Self is now used unchecked.

introduced previously by john attempting to fix symlinks. Since we now use php 5.2, we can make use of filter_var.

This is a simpler version of what we were trying to do previously aka http://git.mantisforge.org/w/mantisbt.git?a=commitdiff;h=5ac1fdf32717d0c82cca7e7660dd4fd316a6a1b8

Depending on server/mantis config this can lead to XSS issues

David: Backported from master branch and removed unreachable code branch.

Signed-off-by: David Hicks <d@hx.id.au>		 Affected Issues
0013191, 0013281
mod - config_defaults_inc.php Diff File

MantisBT: master-1.2.x 0a636b37

2011-09-03 16:36

dhx


Details Diff		 Issue 0013281: Fix Projax XSS issues (unescaped value attributes)

Projax sucks. This is why it was replaced with jQuery in the master
branch. However master-1.2.x still uses the older Projax code. The
Projax library doesn't attempt to escape values before dumping them in
HTML output, thus leading to XSS issues.

The easiest workaround is to pass in already-escaped values to the
Projax functions.

This issue was reported by High-Tech Bridge SA Security Research Lab as
part of their advisory #HTB23045, available at
https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html		 Affected Issues
0013281
mod - bug_report_page.php Diff File
mod - bug_update_advanced_page.php Diff File