View Issue Details

IDProjectCategoryView StatusLast Update
0017725mantisbtsecuritypublic2014-12-05 18:33
ReporterEgiX 
Assigned Todregad 
PriorityurgentSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.17 
Target Version1.2.18Fixed in Version1.2.18 
Summary0017725: CVE-2014-7146 : PHP Code Injection Vulnerability in XmlImportExport plugin
Description

There's a PHP code injection vulnerability within the Import/Export plugin (/plugins/XmlImportExport/ImportXml.php): user input passed through the "description" field (and the "issuelink" attribute) of the uploaded XML file isn't properly sanitized before being used in a call to the preg_replace() function which uses the 'e' modifier. This can be exploited to inject and execute arbitrary PHP code when the Import/Export plugin is installed.

Steps To Reproduce

Go to http://[host]/[mantis]/plugin.php?page=XmlImportExport/import and upload the attached XML file.

TagsNo tags attached.

Relationships

related to 0012013 closeddregad Improvements for plugin ImportExportXml (and required core changes) 
related to 0017780 closeddregad CVE-2014-8598: XML plugin should restrict ability to import data 

Activities

EgiX

EgiX

2014-10-04 14:18

reporter  

poc.xml (231 bytes)
<?xml version="1.0"?>
<mantis issuelink="{${phpinfo()}}.{${die()}}">
    <issue>
        <project>test</project>
        <summary>test</summary>
        <description>{${phpinfo()}}.{${die()}}23</description>
    </issue>
</mantis>
poc.xml (231 bytes)
grangeway

grangeway

2014-10-04 14:56

reporter   ~0041345

hi Egix,

I believe this issue was fixed in August 2010 with the following commit:

https://github.com/mantisbt/mantisbt/commit/84017535f8718685d755d58af7a39d80f52ffca8

However, that's not made a public release yet.

Are you able to test if you can reproduce the issue with the latest version of the Import plugin from master?

Paul

EgiX

EgiX

2014-10-04 15:48

reporter   ~0041346

Hi Paul,

the issue can't be reproduced with the latest version from master, because the commit that you linked actually solves the vulnerability.

By the way, you're aware of this vulnerability from August 2010, and still no public release to fix it?!

grangeway

grangeway

2014-10-04 16:12

reporter   ~0041347

In this case, I'd say i personally wasn't aware of this issue, however I know i tried to find issues with the e modifier for preg_* in mantis' source tree about 2 years ago.

So in this case, when I saw the report, I was fairly confident that the latest trunk wasn't vulnerable, therefore it was a case of looking back to see when it changed which was then easy.

As an aside, the e modifier got deprecated in php 5.5 I believe, so the preg_match_all lines need rewriting.

EgiX

EgiX

2014-10-05 12:16

reporter   ~0041379

In this case, I'd say I don't understand why the trunk on GitHub isn't vulnerable starting from August 2010, while all releases starting from version 1.2.0 are vulnerable both on GitHub and SourceForge.

Yes, the 'e' modifier has been deprecated as of PHP 5.5.0. However, it doesn't make any sense use it in a preg_match_all() call, so I guess you can just remove it from the regex definition.

FYI, I believe this is a serious vulnerability, though the plugin is not enabled by default. For example, this instance of MantisBT is vulnerable, since the Import/Export plugin is enabled:

http://www.mantisbt.org/bugs/plugin.php?page=XmlImportExport/import

I'm gonna request a new CVE ID for this vulnerability. Hopefully, you will be releasing a security update ASAP.

grangeway

grangeway

2014-10-05 12:45

reporter   ~0041380

Because we've not actually done a "new" full release from master since then. We are probably planning on starting to do some alpha releases from the current master in november.

In terms of this bug tracker, I'd fix the plugin but i've been waiting about a year now for the person who admin's the mantisbt.org site to get around to adding the SSH key he promised to add.

Whilst it's a serious vulnerability, i'd expect most users not to enable the import/export plugin so a lot of instances will probably be lucky not to be vulnerable due to that fact.

grangeway

grangeway

2014-10-05 15:09

reporter   ~0041399

Egix, in fact, thinking about it a little, as I see you tend to publish bulletins, maybe if we aim for early November for a release.

EgiX

EgiX

2014-10-05 15:53

reporter   ~0041407

Of course I can wait your release before publishing my bulletin. Just hope this is not going to be overlooked.

grangeway

grangeway

2014-10-05 16:04

reporter   ~0041408

I'd probably be inclined to remove the plugin from 1.2, and it's already fixed in 1.3

dregad

dregad

2014-10-06 05:39

developer   ~0041424

If the changes in the plugin can be backported to 1.2 without too much issues, I'd rather release 1.2.18 to include the fix - disabling the plugin might be an option for us, but not for everyone and considering the severity of this.

I'll look into it.

EgiX

EgiX

2014-10-06 11:43

reporter   ~0041427

The Common Vulnerabilities and Exposures project has assigned the name CVE-2014-7146 to this vulnerability.

dregad

dregad

2014-10-07 04:56

developer   ~0041442

Thank you for the CVE request, EgiX.

I'll keep you posted with regards to our patching of this issue in the 1.2.x branch, and the timeline for releasing 1.2.18.

Related Changesets

MantisBT: master-1.2.x 80a15487

2014-10-17 11:21:25

dregad

Details Diff
XML plugin: Add config page with access thresholds

Prior to this, any user of a MantisBT instance with the XML
Import/Export plugin enabled and knowing the URL to the plugin's import
page could upload an XML file and insert data without restriction,
regardless of their access level.

This vulnerability is particularly dangerous when used in combination
with the one described in issue 0017725 (CVE-2014-7146) as it makes for a
very simple and easily accessible vector for PHP code injection attacks.

There was also no access check when exporting data, which could allow an
attacker to gain access to confidential information (disclosure of all
bug-related data, including usernames).

Fixes 0017780 (CVE-2014-8598)
mod - plugins/XmlImportExport/XmlImportExport.php Diff File
mod - plugins/XmlImportExport/lang/strings_english.txt Diff File
add - plugins/XmlImportExport/pages/config.php Diff File
add - plugins/XmlImportExport/pages/config_page.php Diff File
mod - plugins/XmlImportExport/pages/export.php Diff File
mod - plugins/XmlImportExport/pages/import.php Diff File

MantisBT: master 7d3dd430

2014-10-17 11:21:25

dregad

Details Diff
XML plugin: Add config page with access thresholds

Prior to this, any user of a MantisBT instance with the XML
Import/Export plugin enabled and knowing the URL to the plugin's import
page could upload an XML file and insert data without restriction,
regardless of their access level.

This vulnerability is particularly dangerous when used in combination
with the one described in issue 0017725 (CVE-2014-7146) as it makes for a
very simple and easily accessible vector for PHP code injection attacks.

There was also no access check when exporting data, which could allow an
attacker to gain access to confidential information (disclosure of all
bug-related data, including usernames).

Fixes 0017780 (CVE-2014-8598)
mod - plugins/XmlImportExport/XmlImportExport.php Diff File
mod - plugins/XmlImportExport/lang/strings_english.txt Diff File
add - plugins/XmlImportExport/pages/config.php Diff File
add - plugins/XmlImportExport/pages/config_page.php Diff File
mod - plugins/XmlImportExport/pages/export.php Diff File
mod - plugins/XmlImportExport/pages/import.php Diff File

MantisBT: master-1.2.x bed19db9

2014-11-01 14:45:47

dregad

Details Diff
XML Import: Fix php code injection vulnerability

Egidio Romano discovered a vulnerability in the XML import plugin.

User input passed through the "description" field (and the "issuelink"
attribute) of the uploaded XML file isn't properly sanitized before
being used in a call to the preg_replace() function which uses the 'e'
modifier. This can be exploited to inject and execute arbitrary PHP code
when the Import/Export plugin is installed.

This fix is a partial backport from a master branch commit which has
been confirmed as addressing the issue (84017535f8718685d755d58af7a39d80f52ffca8)
excluding changes not relevant to fixing the security issue, including
subsequent fixes (aea1a348043979e75a6cc021e4a0a7f8d3bb7211,
4350b4d4f0ee4fba423edcae1cd2117dc1e2d63b).

Fixes 0017725 (CVE-2014-7146)
mod - plugins/XmlImportExport/ImportXml.php Diff File

Issue History

Date Modified Username Field Change
2014-10-04 14:18 EgiX New Issue
2014-10-04 14:18 EgiX File Added: poc.xml
2014-10-04 14:56 grangeway Note Added: 0041345
2014-10-04 14:56 grangeway Target Version => 1.2.18
2014-10-04 15:48 EgiX Note Added: 0041346
2014-10-04 16:12 grangeway Note Added: 0041347
2014-10-05 12:16 EgiX Note Added: 0041379
2014-10-05 12:45 grangeway Note Added: 0041380
2014-10-05 15:09 grangeway Note Added: 0041399
2014-10-05 15:53 EgiX Note Added: 0041407
2014-10-05 16:04 grangeway Note Added: 0041408
2014-10-06 05:39 dregad Note Added: 0041424
2014-10-06 11:43 EgiX Note Added: 0041427
2014-10-07 04:56 dregad Note Added: 0041442
2014-10-07 04:56 dregad Status new => confirmed
2014-10-07 04:56 dregad Summary PHP Code Injection Vulnerability in /plugins/XmlImportExport/ImportXml.php => CVE-2014-7146 : PHP Code Injection Vulnerability in XmlImportExport plugin
2014-10-07 04:56 dregad Description Updated View Revisions
2014-10-15 17:57 dregad Relationship added related to 0012013
2014-10-16 03:47 dregad Assigned To => dregad
2014-10-16 03:47 dregad Status confirmed => assigned
2014-10-16 12:09 dregad Relationship added related to 0017780
2014-11-07 17:43 dregad Changeset attached => MantisBT master-1.2.x bed19db9
2014-11-07 17:43 dregad Changeset attached => MantisBT master-1.2.x 80a15487
2014-11-07 17:43 dregad Status assigned => resolved
2014-11-07 17:43 dregad Resolution open => fixed
2014-11-07 17:43 dregad Fixed in Version => 1.2.18
2014-11-07 17:44 dregad Changeset attached => MantisBT master 7d3dd430
2014-11-07 18:06 dregad View Status private => public
2014-12-05 18:33 dregadmin Status resolved => closed