0013281: MantisBT Security Vulnerabilities Notification

Notes
(0029607) rombert (developer) 2011-08-31 16:02	Thanks for your report. This issue is now private and therefore accessible only to developers and yourself. Can you please add the details of the vulnerabilities to this bug report?

(0029608) htbridge (reporter) 2011-08-31 16:28	Our notification text for email: High-Tech Bridge Security Research Lab has discovered multiple security vulnerabilities in your product - MantisBT. Detailed description and all available details of the vulnerabilities is provided below in the email. Please notify us by replying to this email when you release security update. If you need more time to fix the vulnerabilities - please specify desired Public Disclosure date by replying to this email. For any questions related to this notification email - please visit our General Information & Disclosure Policy page: https://www.htbridge.ch/advisory/disclosure_policy.html [^] If you don't find an answer to your question there - please feel free to contact us by email: advisory@htbridge.ch =============================================================== Vulnerability ID: HTB23045 Reference: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html [^] Product: MantisBT Vendor: www.mantisbt.org ( http://www.mantisbt.org/ [^] ) Vulnerable Version: 1.2.7. and probably prior Tested Version: 1.2.7. Public Disclosure: 21 September 2011 Vulnerability Type: Local File Inclusion, XSS Risk level: High Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ [^] ) Vulnerability Details: High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in MantisBT, which can be exploited to perform cross-site scripting, local file inclusion attacks. 1) Input passed via the "action" GET parameter to bug_actiongroup_ext_page.php & bug_actiongroup_page.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website. The following PoC code is available: http://[host]/bug_actiongroup_ext_page.php?bug_arr[]=1&action=EXT_%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E [^] http://[host]/bug_actiongroup_page.php?bug_arr[]=[ISSUE_ID]&action=EXT_%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E [^] 2) Input passed via the "action" GET parameter to bug_actiongroup_ext_page.php & bug_actiongroup_page.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal sequences and URL-encoded NULL bytes. http://[host]/bug_actiongroup_ext_page.php?bug_arr[]=1&action=EXT_/../../../../../../../etc/passwd%00 [^] http://[host]/bug_actiongroup_page.php?bug_arr[]=[ISSUE_ID]&action=EXT_/../../../../../../../etc/passwd%00 [^] 3) Input appended to the URL after manage_config_email_page.php & manage_config_workflow_page.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website. http://[host]/manage_config_email_page.php/%22%3E%3Cimg%20src=1%20onerror=%22javascript:alert%28document.cookie%29;%22%3E/ [^] http://[host]/manage_config_workflow_page.php/%22%3E%3Cimg%20src=1%20onerror=%22javascript:alert%28document.cookie%29;%22%3E/ [^] 4) Input passed via the "platform", "os", "os_build", GET parameter to bug_report_page.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website. http://[host]/bug_report_page.php?platform=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E [^] =============================================================== Best regards, High-Tech Bridge SA Security Research Lab

(0029610) rombert (developer) 2011-08-31 16:36	Thank you.

(0029634) dhx (developer) 2011-09-03 23:47	Issues (1) and (2) have been fixed by Paul's recent commits (and my backports to the 1.2.x branch). Issue (3) was reported a while ago by Paulino Calderon <calderon@websec.mx> in issue 0013191 but has yet to be fixed. Paul has committed a patch that resolves the issue. Issue (4) has been fixed as well (it only impacts the master-1.2.x branch).

(0029636) dhx (developer) 2011-09-03 23:56	All issues should now be corrected in both 1.2.x and master branches. @High-Tech Bridge Security Research Lab: thanks for taking the time to test MantisBT and provide an informative notification to the MantisBT developers. @grangeway/Paul: thanks for pushing your patches! I'll arrange for a 1.2.8 release with John ASAP, request CVE numbers from oss-sec and notify distributions that they need to update their copies of MantisBT.

(0036405) grangeway (developer) 2013-04-05 17:57	Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets
MantisBT: master a908cc61 Timestamp: 2011-08-29 09:43:23 Author: Paul Richards [ Details ] [ Diff ]	Rework the bug action group api such that we can easily convert this to an object in the future, and to validate calls to require once. This leads to a security issue identified by IBM's Appscan program, whereby calls to require_once are not validated. Depending on webserver configuration, this is a file inclusion vulnerability. There will be a follow up commit to config api - probably: - if( $g_project_override != null ) { + if( $g_project_override != null && $p_project == null ) { At the moment, the action group API calls config_get with a project parameter to use. This is ignored, due to project_override being set - so we either need to: a) change project override within the command list function b) modifify config api to only use the project override if it is attempting to look up information on the default project.
	mod - bug_actiongroup_add_note_inc.php	[ Diff ] [ File ]
	mod - bug_actiongroup_attach_tags_inc.php	[ Diff ] [ File ]
	mod - bug_actiongroup_ext.php	[ Diff ] [ File ]
	mod - bug_actiongroup_ext_page.php	[ Diff ] [ File ]
	mod - bug_actiongroup_page.php	[ Diff ] [ File ]
	mod - bug_actiongroup_update_product_build_inc.php	[ Diff ] [ File ]
	mod - bug_actiongroup_update_severity_inc.php	[ Diff ] [ File ]
	mod - core/bug_group_action_api.php	[ Diff ] [ File ]

MantisBT: master-1.2.x 5b93161f Timestamp: 2011-08-29 09:43:23 Author: Paul Richards Committer: dhx [ Details ] [ Diff ]	Rework the bug action group api such that we can easily convert this to an object in the future, and to validate calls to require once. This leads to a security issue identified by IBM's Appscan program, whereby calls to require_once are not validated. Depending on webserver configuration, this is a file inclusion vulnerability. There will be a follow up commit to config api - probably: - if( $g_project_override != null ) { + if( $g_project_override != null && $p_project == null ) { At the moment, the action group API calls config_get with a project parameter to use. This is ignored, due to project_override being set - so we either need to: a) change project override within the command list function b) modifify config api to only use the project override if it is attempting to look up information on the default project. Backported from master-1.2.x branch. Note that this commit relies upon commit 6dc35105064e5a2533fb4e1de54426ea17d2ef36 from the master branch (that hadn't been backported to 1.2.x). Conflicts: bug_actiongroup_ext.php bug_actiongroup_ext_page.php bug_actiongroup_page.php core/bug_group_action_api.php Signed-off-by: David Hicks <d@hx.id.au>
	mod - bug_actiongroup_ext.php	[ Diff ] [ File ]
	mod - bug_actiongroup_ext_page.php	[ Diff ] [ File ]
	mod - bug_actiongroup_page.php	[ Diff ] [ File ]
	mod - core/bug_group_action_api.php	[ Diff ] [ File ]

MantisBT: master 57c94485 Timestamp: 2011-08-29 10:55:14 Author: Paul Richards [ Details ] [ Diff ]	Fix issue introduced previously whereby php_Self is now used unchecked. introduced previously by john attempting to fix symlinks. Since we now use php 5.2, we can make use of filter_var. This is a simpler version of what we were trying to do previously aka http://git.mantisforge.org/w/mantisbt.git?a=commitdiff;h=5ac1fdf32717d0c82cca7e7660dd4fd316a6a1b8 [^] Depending on server/mantis config this can lead to XSS issues
	mod - config_defaults_inc.php	[ Diff ] [ File ]

MantisBT: master-1.2.x d00745f5 Timestamp: 2011-08-29 10:55:14 Author: Paul Richards Committer: dhx [ Details ] [ Diff ]	Fix issue introduced previously whereby php_Self is now used unchecked. introduced previously by john attempting to fix symlinks. Since we now use php 5.2, we can make use of filter_var. This is a simpler version of what we were trying to do previously aka http://git.mantisforge.org/w/mantisbt.git?a=commitdiff;h=5ac1fdf32717d0c82cca7e7660dd4fd316a6a1b8 [^] Depending on server/mantis config this can lead to XSS issues David: Backported from master branch and removed unreachable code branch. Signed-off-by: David Hicks <d@hx.id.au>
	mod - config_defaults_inc.php	[ Diff ] [ File ]

MantisBT: master-1.2.x 0a636b37 Timestamp: 2011-09-03 20:36:59 Author: dhx [ Details ] [ Diff ]	Issue 0013281: Fix Projax XSS issues (unescaped value attributes) Projax sucks. This is why it was replaced with jQuery in the master branch. However master-1.2.x still uses the older Projax code. The Projax library doesn't attempt to escape values before dumping them in HTML output, thus leading to XSS issues. The easiest workaround is to pass in already-escaped values to the Projax functions. This issue was reported by High-Tech Bridge SA Security Research Lab as part of their advisory #HTB23045, available at https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html [^]
	mod - bug_report_page.php	[ Diff ] [ File ]
	mod - bug_update_advanced_page.php	[ Diff ] [ File ]

Issue History
Date Modified	Username	Field	Change
2011-08-31 15:57	htbridge	New Issue
2011-08-31 16:01	rombert	View Status	public => private
2011-08-31 16:02	rombert	Note Added: 0029607
2011-08-31 16:28	htbridge	Note Added: 0029608
2011-08-31 16:36	rombert	Note Added: 0029610
2011-08-31 16:36	rombert	Priority	normal => urgent
2011-08-31 16:36	rombert	Status	new => confirmed
2011-08-31 16:36	rombert	Target Version	=> 1.2.8
2011-08-31 16:36	rombert	Description Updated	View Revisions
2011-09-01 05:46	dhx	Assigned To	=> dhx
2011-09-01 05:46	dhx	Status	confirmed => assigned
2011-09-01 05:47	dhx	Priority	urgent => immediate
2011-09-01 05:47	dhx	Severity	major => block
2011-09-01 05:47	dhx	Reproducibility	have not tried => always
2011-09-01 05:47	dhx	Description Updated	View Revisions
2011-09-01 06:23	dhx	Relationship added	parent of 0013282
2011-09-01 06:23	dhx	Relationship added	parent of 0013283
2011-09-03 23:42	dhx	Changeset attached	=> MantisBT master-1.2.x 0a636b37
2011-09-03 23:44	dhx	Relationship added	related to 0013191
2011-09-03 23:47	dhx	Note Added: 0029634
2011-09-03 23:48	dhx	Changeset attached	=> MantisBT master-1.2.x d00745f5
2011-09-03 23:49	dhx	Changeset attached	=> MantisBT master 57c94485
2011-09-03 23:51	dhx	Changeset attached	=> MantisBT master-1.2.x 5b93161f
2011-09-03 23:51	dhx	Changeset attached	=> MantisBT master a908cc61
2011-09-03 23:56	dhx	Note Added: 0029636
2011-09-03 23:56	dhx	Status	assigned => resolved
2011-09-03 23:56	dhx	Fixed in Version	=> 1.2.8
2011-09-03 23:56	dhx	Resolution	open => fixed
2011-09-04 00:01	dhx	View Status	private => public
2011-09-06 10:34	jreese	Status	resolved => closed
2013-04-05 17:57	grangeway	Status	closed => acknowledged
2013-04-05 17:57	grangeway	Note Added: 0036405
2013-04-05 18:12	grangeway	Relationship added	related to 0015721
2013-04-06 03:43	dregad	Status	acknowledged => closed
2013-04-06 07:23	grangeway	Status	closed => acknowledged
2013-04-06 09:22	dregad	Tag Attached: 2.0.x check
2013-04-06 09:23	dregad	Status	acknowledged => closed