View Issue Details

IDProjectCategoryView StatusLast Update
0017780mantisbtsecuritypublic2014-12-05 18:33
ReporterdregadAssigned Todregad 
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.0 
Target Version1.2.18Fixed in Version1.2.18 
Summary0017780: CVE-2014-8598: XML plugin should restrict ability to import data
Description

The XML plugin currently does not perform any access level checks.

Consequently, it is possible for any user of a system where the plugin is enabled (including anonymous/viewers !), to directly access the import page [1], upload an XML file and happily insert data in the tracker.

[1] http://url.to/mantis/plugin.php?page=XmlImportExport/import

Additional Information

This is particularly nasty when combined with 0017725...

TagsNo tags attached.

Relationships

related to 0017725 closeddregad CVE-2014-7146 : PHP Code Injection Vulnerability in XmlImportExport plugin 

Activities

dregad

dregad

2014-11-01 19:10

developer   ~0041739

CVE reservation request sent.

Fix available for review on bitbucket private repo, contact me to get access.

dregad

dregad

2014-11-07 16:38

developer   ~0041788

Mitre have assigned CVE-2014-8598 to this issue

Related Changesets

MantisBT: master-1.2.x 80a15487

2014-10-17 11:21:25

dregad

Details Diff
XML plugin: Add config page with access thresholds

Prior to this, any user of a MantisBT instance with the XML
Import/Export plugin enabled and knowing the URL to the plugin's import
page could upload an XML file and insert data without restriction,
regardless of their access level.

This vulnerability is particularly dangerous when used in combination
with the one described in issue 0017725 (CVE-2014-7146) as it makes for a
very simple and easily accessible vector for PHP code injection attacks.

There was also no access check when exporting data, which could allow an
attacker to gain access to confidential information (disclosure of all
bug-related data, including usernames).

Fixes 0017780 (CVE-2014-8598)
mod - plugins/XmlImportExport/XmlImportExport.php Diff File
mod - plugins/XmlImportExport/lang/strings_english.txt Diff File
add - plugins/XmlImportExport/pages/config.php Diff File
add - plugins/XmlImportExport/pages/config_page.php Diff File
mod - plugins/XmlImportExport/pages/export.php Diff File
mod - plugins/XmlImportExport/pages/import.php Diff File

MantisBT: master 7d3dd430

2014-10-17 11:21:25

dregad

Details Diff
XML plugin: Add config page with access thresholds

Prior to this, any user of a MantisBT instance with the XML
Import/Export plugin enabled and knowing the URL to the plugin's import
page could upload an XML file and insert data without restriction,
regardless of their access level.

This vulnerability is particularly dangerous when used in combination
with the one described in issue 0017725 (CVE-2014-7146) as it makes for a
very simple and easily accessible vector for PHP code injection attacks.

There was also no access check when exporting data, which could allow an
attacker to gain access to confidential information (disclosure of all
bug-related data, including usernames).

Fixes 0017780 (CVE-2014-8598)
mod - plugins/XmlImportExport/XmlImportExport.php Diff File
mod - plugins/XmlImportExport/lang/strings_english.txt Diff File
add - plugins/XmlImportExport/pages/config.php Diff File
add - plugins/XmlImportExport/pages/config_page.php Diff File
mod - plugins/XmlImportExport/pages/export.php Diff File
mod - plugins/XmlImportExport/pages/import.php Diff File

Issue History

Date Modified Username Field Change
2014-10-16 12:09 dregad New Issue
2014-10-16 12:09 dregad Status new => assigned
2014-10-16 12:09 dregad Assigned To => dregad
2014-10-16 12:09 dregad Relationship added related to 0017725
2014-11-01 19:10 dregad Note Added: 0041739
2014-11-07 16:38 dregad Note Added: 0041788
2014-11-07 16:38 dregad Summary XML plugin should restrict ability to import data => CVE-2014-8598: XML plugin should restrict ability to import data
2014-11-07 17:43 dregad Changeset attached => MantisBT master-1.2.x 80a15487
2014-11-07 17:43 dregad Status assigned => resolved
2014-11-07 17:43 dregad Resolution open => fixed
2014-11-07 17:43 dregad Fixed in Version => 1.2.18
2014-11-07 17:44 dregad Changeset attached => MantisBT master 7d3dd430
2014-11-07 18:20 dregad View Status private => public
2014-12-05 18:33 dregadmin Status resolved => closed