Anonymous Login
2016-07-25 17:57 EDT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ]
IDProjectCategoryView StatusLast Update
0017725mantisbtsecuritypublic2014-12-05 18:33
ReporterEgiX 
Assigned Todregad 
PriorityurgentSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
Product Version1.2.17 
Target Version1.2.18Fixed in Version1.2.18 
Summary0017725: CVE-2014-7146 : PHP Code Injection Vulnerability in XmlImportExport plugin
DescriptionThere's a PHP code injection vulnerability within the Import/Export plugin (/plugins/XmlImportExport/ImportXml.php): user input passed through the "description" field (and the "issuelink" attribute) of the uploaded XML file isn't properly sanitized before being used in a call to the preg_replace() function which uses the 'e' modifier. This can be exploited to inject and execute arbitrary PHP code when the Import/Export plugin is installed.
Steps To ReproduceGo to http://[host]/[mantis]/plugin.php?page=XmlImportExport/import and upload the attached XML file.
TagsNo tags attached.
Attached Files
  • xml file icon poc.xml (231 bytes) 2014-10-04 14:18 -
    <?xml version="1.0"?>
    <mantis issuelink="{${phpinfo()}}.{${die()}}">
        <issue>
            <project>test</project>
            <summary>test</summary>
            <description>{${phpinfo()}}.{${die()}}23</description>
        </issue>
    </mantis>
    
    xml file icon poc.xml (231 bytes) 2014-10-04 14:18 +

-Relationships
related to 0012013closeddregad Improvements for plugin ImportExportXml (and required core changes) 
related to 0017780closeddregad CVE-2014-8598: XML plugin should restrict ability to import data 
+Relationships

-Notes
grangeway

~0041345

grangeway (reporter)

hi Egix,

I believe this issue was fixed in August 2010 with the following commit:

https://github.com/mantisbt/mantisbt/commit/84017535f8718685d755d58af7a39d80f52ffca8

However, that's not made a public release yet.

Are you able to test if you can reproduce the issue with the latest version of the Import plugin from master?

Paul
EgiX

~0041346

EgiX (reporter)

Hi Paul,

the issue can't be reproduced with the latest version from master, because the commit that you linked actually solves the vulnerability.

By the way, you're aware of this vulnerability from August 2010, and still no public release to fix it?!
grangeway

~0041347

grangeway (reporter)

In this case, I'd say i personally wasn't aware of this issue, however I know i tried to find issues with the e modifier for preg_* in mantis' source tree about 2 years ago.

So in this case, when I saw the report, I was fairly confident that the latest trunk wasn't vulnerable, therefore it was a case of looking back to see when it changed which was then easy.

As an aside, the e modifier got deprecated in php 5.5 I believe, so the preg_match_all lines need rewriting.
EgiX

~0041379

EgiX (reporter)

In this case, I'd say I don't understand why the trunk on GitHub isn't vulnerable starting from August 2010, while all releases starting from version 1.2.0 are vulnerable both on GitHub and SourceForge.

Yes, the 'e' modifier has been deprecated as of PHP 5.5.0. However, it doesn't make any sense use it in a preg_match_all() call, so I guess you can just remove it from the regex definition.

FYI, I believe this is a serious vulnerability, though the plugin is not enabled by default. For example, this instance of MantisBT is vulnerable, since the Import/Export plugin is enabled:

http://www.mantisbt.org/bugs/plugin.php?page=XmlImportExport/import

I'm gonna request a new CVE ID for this vulnerability. Hopefully, you will be releasing a security update ASAP.
grangeway

~0041380

grangeway (reporter)

Because we've not actually done a "new" full release from master since then. We are probably planning on starting to do some alpha releases from the current master in november.

In terms of this bug tracker, I'd fix the plugin but i've been waiting about a year now for the person who admin's the mantisbt.org site to get around to adding the SSH key he promised to add.

Whilst it's a serious vulnerability, i'd expect most users not to enable the import/export plugin so a lot of instances will probably be lucky not to be vulnerable due to that fact.
grangeway

~0041399

grangeway (reporter)

Egix, in fact, thinking about it a little, as I see you tend to publish bulletins, maybe if we aim for early November for a release.
EgiX

~0041407

EgiX (reporter)

Of course I can wait your release before publishing my bulletin. Just hope this is not going to be overlooked.
grangeway

~0041408

grangeway (reporter)

I'd probably be inclined to remove the plugin from 1.2, and it's already fixed in 1.3
dregad

~0041424

dregad (developer)

If the changes in the plugin can be backported to 1.2 without too much issues, I'd rather release 1.2.18 to include the fix - disabling the plugin might be an option for us, but not for everyone and considering the severity of this.

I'll look into it.
EgiX

~0041427

EgiX (reporter)

The Common Vulnerabilities and Exposures project has assigned the name CVE-2014-7146 to this vulnerability.
dregad

~0041442

dregad (developer)

Thank you for the CVE request, EgiX.

I'll keep you posted with regards to our patching of this issue in the 1.2.x branch, and the timeline for releasing 1.2.18.
+Notes

-Related Changesets
MantisBT: master-1.2.x 80a15487
Timestamp: 2014-10-17 11:21:25
Author: dregad
Details ] Diff ]
XML plugin: Add config page with access thresholds

Prior to this, any user of a MantisBT instance with the XML
Import/Export plugin enabled and knowing the URL to the plugin's import
page could upload an XML file and insert data without restriction,
regardless of their access level.

This vulnerability is particularly dangerous when used in combination
with the one described in issue 0017725 (CVE-2014-7146) as it makes for a
very simple and easily accessible vector for PHP code injection attacks.

There was also no access check when exporting data, which could allow an
attacker to gain access to confidential information (disclosure of all
bug-related data, including usernames).

Fixes 0017780 (CVE-2014-8598)
mod - plugins/XmlImportExport/XmlImportExport.php Diff ] File ]
mod - plugins/XmlImportExport/lang/strings_english.txt Diff ] File ]
add - plugins/XmlImportExport/pages/config.php Diff ] File ]
add - plugins/XmlImportExport/pages/config_page.php Diff ] File ]
mod - plugins/XmlImportExport/pages/export.php Diff ] File ]
mod - plugins/XmlImportExport/pages/import.php Diff ] File ]
MantisBT: master 7d3dd430
Timestamp: 2014-10-17 11:21:25
Author: dregad
Details ] Diff ]
XML plugin: Add config page with access thresholds

Prior to this, any user of a MantisBT instance with the XML
Import/Export plugin enabled and knowing the URL to the plugin's import
page could upload an XML file and insert data without restriction,
regardless of their access level.

This vulnerability is particularly dangerous when used in combination
with the one described in issue 0017725 (CVE-2014-7146) as it makes for a
very simple and easily accessible vector for PHP code injection attacks.

There was also no access check when exporting data, which could allow an
attacker to gain access to confidential information (disclosure of all
bug-related data, including usernames).

Fixes 0017780 (CVE-2014-8598)
mod - plugins/XmlImportExport/XmlImportExport.php Diff ] File ]
mod - plugins/XmlImportExport/lang/strings_english.txt Diff ] File ]
add - plugins/XmlImportExport/pages/config.php Diff ] File ]
add - plugins/XmlImportExport/pages/config_page.php Diff ] File ]
mod - plugins/XmlImportExport/pages/export.php Diff ] File ]
mod - plugins/XmlImportExport/pages/import.php Diff ] File ]
MantisBT: master-1.2.x bed19db9
Timestamp: 2014-11-01 14:45:47
Author: dregad
Details ] Diff ]
XML Import: Fix php code injection vulnerability

Egidio Romano discovered a vulnerability in the XML import plugin.

User input passed through the "description" field (and the "issuelink"
attribute) of the uploaded XML file isn't properly sanitized before
being used in a call to the preg_replace() function which uses the 'e'
modifier. This can be exploited to inject and execute arbitrary PHP code
when the Import/Export plugin is installed.

This fix is a partial backport from a master branch commit which has
been confirmed as addressing the issue (84017535f8718685d755d58af7a39d80f52ffca8)
excluding changes not relevant to fixing the security issue, including
subsequent fixes (aea1a348043979e75a6cc021e4a0a7f8d3bb7211,
4350b4d4f0ee4fba423edcae1cd2117dc1e2d63b).

Fixes 0017725 (CVE-2014-7146)
mod - plugins/XmlImportExport/ImportXml.php Diff ] File ]

+Related Changesets

-Issue History
Date Modified Username Field Change
2014-10-04 14:18 EgiX New Issue
2014-10-04 14:18 EgiX File Added: poc.xml
2014-10-04 14:56 grangeway Note Added: 0041345
2014-10-04 14:56 grangeway Target Version => 1.2.18
2014-10-04 15:48 EgiX Note Added: 0041346
2014-10-04 16:12 grangeway Note Added: 0041347
2014-10-05 12:16 EgiX Note Added: 0041379
2014-10-05 12:45 grangeway Note Added: 0041380
2014-10-05 15:09 grangeway Note Added: 0041399
2014-10-05 15:53 EgiX Note Added: 0041407
2014-10-05 16:04 grangeway Note Added: 0041408
2014-10-06 05:39 dregad Note Added: 0041424
2014-10-06 11:43 EgiX Note Added: 0041427
2014-10-07 04:56 dregad Note Added: 0041442
2014-10-07 04:56 dregad Status new => confirmed
2014-10-07 04:56 dregad Summary PHP Code Injection Vulnerability in /plugins/XmlImportExport/ImportXml.php => CVE-2014-7146 : PHP Code Injection Vulnerability in XmlImportExport plugin
2014-10-07 04:56 dregad Description Updated View Revisions
2014-10-15 17:57 dregad Relationship added related to 0012013
2014-10-16 03:47 dregad Assigned To => dregad
2014-10-16 03:47 dregad Status confirmed => assigned
2014-10-16 12:09 dregad Relationship added related to 0017780
2014-11-07 17:43 dregad Changeset attached => MantisBT master-1.2.x bed19db9
2014-11-07 17:43 dregad Changeset attached => MantisBT master-1.2.x 80a15487
2014-11-07 17:43 dregad Status assigned => resolved
2014-11-07 17:43 dregad Resolution open => fixed
2014-11-07 17:43 dregad Fixed in Version => 1.2.18
2014-11-07 17:44 dregad Changeset attached => MantisBT master 7d3dd430
2014-11-07 18:06 dregad View Status private => public
2014-12-05 18:33 dregadmin Status resolved => closed
+Issue History