View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017725 | mantisbt | security | public | 2014-10-04 14:18 | 2014-12-05 18:33 |
Reporter | EgiX | Assigned To | dregad | ||
Priority | urgent | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.17 | ||||
Target Version | 1.2.18 | Fixed in Version | 1.2.18 | ||
Summary | 0017725: CVE-2014-7146 : PHP Code Injection Vulnerability in XmlImportExport plugin | ||||
Description | There's a PHP code injection vulnerability within the Import/Export plugin (/plugins/XmlImportExport/ImportXml.php): user input passed through the "description" field (and the "issuelink" attribute) of the uploaded XML file isn't properly sanitized before being used in a call to the preg_replace() function which uses the 'e' modifier. This can be exploited to inject and execute arbitrary PHP code when the Import/Export plugin is installed. | ||||
Steps To Reproduce | Go to http://[host]/[mantis]/plugin.php?page=XmlImportExport/import and upload the attached XML file. | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
hi Egix, I believe this issue was fixed in August 2010 with the following commit: https://github.com/mantisbt/mantisbt/commit/84017535f8718685d755d58af7a39d80f52ffca8 However, that's not made a public release yet. Are you able to test if you can reproduce the issue with the latest version of the Import plugin from master? Paul |
|
Hi Paul, the issue can't be reproduced with the latest version from master, because the commit that you linked actually solves the vulnerability. By the way, you're aware of this vulnerability from August 2010, and still no public release to fix it?! |
|
In this case, I'd say i personally wasn't aware of this issue, however I know i tried to find issues with the e modifier for preg_* in mantis' source tree about 2 years ago. So in this case, when I saw the report, I was fairly confident that the latest trunk wasn't vulnerable, therefore it was a case of looking back to see when it changed which was then easy. As an aside, the e modifier got deprecated in php 5.5 I believe, so the preg_match_all lines need rewriting. |
|
In this case, I'd say I don't understand why the trunk on GitHub isn't vulnerable starting from August 2010, while all releases starting from version 1.2.0 are vulnerable both on GitHub and SourceForge. Yes, the 'e' modifier has been deprecated as of PHP 5.5.0. However, it doesn't make any sense use it in a preg_match_all() call, so I guess you can just remove it from the regex definition. FYI, I believe this is a serious vulnerability, though the plugin is not enabled by default. For example, this instance of MantisBT is vulnerable, since the Import/Export plugin is enabled: http://www.mantisbt.org/bugs/plugin.php?page=XmlImportExport/import I'm gonna request a new CVE ID for this vulnerability. Hopefully, you will be releasing a security update ASAP. |
|
Because we've not actually done a "new" full release from master since then. We are probably planning on starting to do some alpha releases from the current master in november. In terms of this bug tracker, I'd fix the plugin but i've been waiting about a year now for the person who admin's the mantisbt.org site to get around to adding the SSH key he promised to add. Whilst it's a serious vulnerability, i'd expect most users not to enable the import/export plugin so a lot of instances will probably be lucky not to be vulnerable due to that fact. |
|
Egix, in fact, thinking about it a little, as I see you tend to publish bulletins, maybe if we aim for early November for a release. |
|
Of course I can wait your release before publishing my bulletin. Just hope this is not going to be overlooked. |
|
I'd probably be inclined to remove the plugin from 1.2, and it's already fixed in 1.3 |
|
If the changes in the plugin can be backported to 1.2 without too much issues, I'd rather release 1.2.18 to include the fix - disabling the plugin might be an option for us, but not for everyone and considering the severity of this. I'll look into it. |
|
The Common Vulnerabilities and Exposures project has assigned the name CVE-2014-7146 to this vulnerability. |
|
Thank you for the CVE request, EgiX. I'll keep you posted with regards to our patching of this issue in the 1.2.x branch, and the timeline for releasing 1.2.18. |
|
MantisBT: master-1.2.x 80a15487 2014-10-17 07:21 Details Diff |
XML plugin: Add config page with access thresholds Prior to this, any user of a MantisBT instance with the XML Import/Export plugin enabled and knowing the URL to the plugin's import page could upload an XML file and insert data without restriction, regardless of their access level. This vulnerability is particularly dangerous when used in combination with the one described in issue 0017725 (CVE-2014-7146) as it makes for a very simple and easily accessible vector for PHP code injection attacks. There was also no access check when exporting data, which could allow an attacker to gain access to confidential information (disclosure of all bug-related data, including usernames). Fixes 0017780 (CVE-2014-8598) |
Affected Issues 0017725, 0017780 |
|
mod - plugins/XmlImportExport/XmlImportExport.php | Diff File | ||
mod - plugins/XmlImportExport/lang/strings_english.txt | Diff File | ||
add - plugins/XmlImportExport/pages/config.php | Diff File | ||
add - plugins/XmlImportExport/pages/config_page.php | Diff File | ||
mod - plugins/XmlImportExport/pages/export.php | Diff File | ||
mod - plugins/XmlImportExport/pages/import.php | Diff File | ||
MantisBT: master 7d3dd430 2014-10-17 07:21 Details Diff |
XML plugin: Add config page with access thresholds Prior to this, any user of a MantisBT instance with the XML Import/Export plugin enabled and knowing the URL to the plugin's import page could upload an XML file and insert data without restriction, regardless of their access level. This vulnerability is particularly dangerous when used in combination with the one described in issue 0017725 (CVE-2014-7146) as it makes for a very simple and easily accessible vector for PHP code injection attacks. There was also no access check when exporting data, which could allow an attacker to gain access to confidential information (disclosure of all bug-related data, including usernames). Fixes 0017780 (CVE-2014-8598) |
Affected Issues 0017725, 0017780 |
|
mod - plugins/XmlImportExport/XmlImportExport.php | Diff File | ||
mod - plugins/XmlImportExport/lang/strings_english.txt | Diff File | ||
add - plugins/XmlImportExport/pages/config.php | Diff File | ||
add - plugins/XmlImportExport/pages/config_page.php | Diff File | ||
mod - plugins/XmlImportExport/pages/export.php | Diff File | ||
mod - plugins/XmlImportExport/pages/import.php | Diff File | ||
MantisBT: master-1.2.x bed19db9 2014-11-01 10:45 Details Diff |
XML Import: Fix php code injection vulnerability Egidio Romano discovered a vulnerability in the XML import plugin. User input passed through the "description" field (and the "issuelink" attribute) of the uploaded XML file isn't properly sanitized before being used in a call to the preg_replace() function which uses the 'e' modifier. This can be exploited to inject and execute arbitrary PHP code when the Import/Export plugin is installed. This fix is a partial backport from a master branch commit which has been confirmed as addressing the issue (84017535f8718685d755d58af7a39d80f52ffca8) excluding changes not relevant to fixing the security issue, including subsequent fixes (aea1a348043979e75a6cc021e4a0a7f8d3bb7211, 4350b4d4f0ee4fba423edcae1cd2117dc1e2d63b). Fixes 0017725 (CVE-2014-7146) |
Affected Issues 0017725 |
|
mod - plugins/XmlImportExport/ImportXml.php | Diff File |