View Issue Details

IDProjectCategoryView StatusLast Update
0017812mantisbtapi soappublic2014-12-05 18:33
Reporteredwingozeling 
Assigned Todregad 
PriorityurgentSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.17 
Target Version1.2.18Fixed in Version1.2.18 
Summary0017812: CVE-2014-8554: SQL injection in SOAP API
Description

CVE-2014-1609 mentions several SQL injection vulnerabilities. According to https://github.com/mantisbt/mantisbt/commit/7efe0175f0853e18ebfacedfd2374c4179028b3f one of the fixes is in function mc_project_get_attachments of api/soap/mc_project_api.php.

Strange enough, line 711 is left untouched:
WHERE pft.project_id in ( . implode( ,, $t_projects ) . ) AND

When the project_id parameter of the SOAP-request starts with the integer of a project to which the user (or anonymous) is authorised, the ENTIRE value will become the first item of $t_projects. As this value is concatenated in the SQL statement, SQL-injection becomes possible.

Please note that, while the parameter is passed to both project_exists() and mci_has_readonly_access(), both functions convert the parameter to an integer before validating it. The original value will remain unaltered.

Steps To Reproduce
  1. Make a clean installation of mantisbt 1.2.17
  2. Create a project
  3. Add the following configuration:
    $g_allow_anonymous_login = ON;
    $g_anonymous_account = anonymous;
    $g_enable_project_documentation = ON;
  4. Create two projects
  5. Go to proj_doc_page.php to add a document to each newly created projects.
  6. Issue regular SOAP calls to mc_project_get_attachments and verify the presence of your attachments.
  7. Modify the project_id parameter at will to perform the injection.
Additional Information

Some possible values:

1) Return attachments to project 1 only
<project_id xsi:type=xsd:string>1) OR pft.project_id IN(CASE WHEN 1=1 THEN 1 ELSE 2 END</project_id>

2) Return attachments to project 1 and 2
<project_id xsi:type=xsd:string>1) OR pft.project_id IN(CASE WHEN 1=2 THEN 1 ELSE 2 END</project_id>

3) Return an <SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server With an SQL error as fault string (may vary due to PHP settings)
<project_id xsi:type=xsd:string>1) O pft.project_id IN(CASE WHEN 1=2 THEN 1 ELSE 2 END</project_id>

TagsNo tags attached.

Relationships

related to 0016880 closeddregad CVE-2014-1609: SQL injection vulnerabilities 

Activities

edwingozeling

edwingozeling

2014-10-29 15:26

reporter   ~0041708

For more information, please contact me or my colleague:
Edwin Gozeling <e.gozeling@itsec.nl>
Wim Visser <w.visser@itsec.nl>

dregad

dregad

2014-10-30 04:02

developer   ~0041713

Many thanks for the bug report, well look into it and get back to you ASAP.

dregad

dregad

2014-10-30 11:59

developer  

0001-CVE-2014-XXXX-SQL-injection-in-mc_project_get_attach.patch (1,198 bytes)
From bc5078a09cd91ae31738628e3be52554f03841fb Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Thu, 30 Oct 2014 15:31:36 +0100
Subject: [PATCH] CVE-2014-XXXX: SQL injection in mc_project_get_attachments()

This is a follow-up on CVE-2014-1609 / issue #16880.

Edwin Gozeling and Wim Visser from ITsec Security Services BV
(http://www.itsec.nl) discovered that the fix in #16880 did not fully
address the problem. Their research demonstrate that using a specially
crafted project id parameter, an attacker could still perform an SQL
injection.

This patches fixes the problem by typecasting the Project ID parameter
to Integer.

Fixes #17812
---
 api/soap/mc_project_api.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/api/soap/mc_project_api.php b/api/soap/mc_project_api.php
index 252e31b..c50c947 100644
--- a/api/soap/mc_project_api.php
+++ b/api/soap/mc_project_api.php
@@ -680,6 +680,7 @@ function mc_project_get_attachments( $p_username, $p_password, $p_project_id ) {
 		return mci_soap_fault_login_failed();
 	}
 
+	$p_project_id = (int)$p_project_id;
 	$g_project_override = $p_project_id;
 
 	# Check if project documentation feature is enabled.
-- 
2.1.1

dregad

dregad

2014-10-30 12:08

developer   ~0041714

Last edited: 2014-10-30 12:10

View 2 revisions

Dear Edwin and Wim,

I believe I have fixed the issue youve dicovered. Could you kindly test the attached patch and confirm that it does indeed resolve it ?

Thanks in advance

PS: with your confirmation, Ill request a CVE ID for the issue (giving you credit for the finding of course). Would you like to review the message before I send it ?

edwingozeling

edwingozeling

2014-10-30 13:16

reporter   ~0041715

Dear Dregad,

the patch does indeed resolve the vulnerability.

The implode() within an SQL-statement is used more often in the code, are the other instances validated as well?

A quick search

grep -r WHERE . | grep implode(
already reveals 21 instances

dregad

dregad

2014-10-30 16:46

developer   ~0041717

Last edited: 2014-10-30 19:47

View 2 revisions

CVE-2014-8554 was assigned as part of duplicate issue #17823

Related Changesets

MantisBT: master-1.2.x 99ffb0af

2014-10-30 10:31:36

dregad

Details Diff
SQL injection in mc_project_get_attachments()

This is a follow-up on CVE-2014-1609 / issue 0016880.

Edwin Gozeling and Wim Visser from ITsec Security Services BV
(http://www.itsec.nl) discovered that the fix in 0016880 did not fully
address the problem. Their research demonstrate that using a specially
crafted project id parameter, an attacker could still perform an SQL
injection.

The same issue was also reported by Paul Richards in issue #17823.

This patch fixes the problem by typecasting the Project ID parameter
to Integer.

Fixes 0017812, CVE-2014-8554
mod - api/soap/mc_project_api.php Diff File

MantisBT: master 5faf97ab

2014-10-30 10:31:36

dregad

Details Diff
SQL injection in mc_project_get_attachments()

This is a follow-up on CVE-2014-1609 / issue 0016880.

Edwin Gozeling and Wim Visser from ITsec Security Services BV
(http://www.itsec.nl) discovered that the fix in 0016880 did not fully
address the problem. Their research demonstrate that using a specially
crafted project id parameter, an attacker could still perform an SQL
injection.

The same issue was also reported by Paul Richards in issue #17823.

This patch fixes the problem by typecasting the Project ID parameter
to Integer.

Fixes 0017812, CVE-2014-8554
mod - api/soap/mc_project_api.php Diff File

Issue History

Date Modified Username Field Change
2014-10-29 15:24 edwingozeling New Issue
2014-10-29 15:26 edwingozeling Note Added: 0041708
2014-10-30 04:02 dregad Note Added: 0041713
2014-10-30 04:02 dregad Status new => acknowledged
2014-10-30 04:02 dregad Target Version => 1.2.18
2014-10-30 04:02 dregad Description Updated View Revisions
2014-10-30 04:05 dregad Relationship added related to 0016880
2014-10-30 11:59 dregad File Added: 0001-CVE-2014-XXXX-SQL-injection-in-mc_project_get_attach.patch
2014-10-30 12:00 dregad Assigned To => dregad
2014-10-30 12:00 dregad Status acknowledged => assigned
2014-10-30 12:08 dregad Note Added: 0041714
2014-10-30 12:08 dregad Status assigned => feedback
2014-10-30 12:10 dregad Note Edited: 0041714 View Revisions
2014-10-30 13:16 edwingozeling Note Added: 0041715
2014-10-30 13:16 edwingozeling Status feedback => assigned
2014-10-30 16:46 dregad Note Added: 0041717
2014-10-30 19:47 dregad Note Edited: 0041717 View Revisions
2014-11-01 12:56 dregad Summary SQL-injection in /api/soap, Fix for CVE-2014-1609 incomplete => CVE-2014-8554: SQL injection in SOAP API
2014-11-01 19:40 dregad Changeset attached => MantisBT master-1.2.x 99ffb0af
2014-11-01 19:40 dregad Status assigned => resolved
2014-11-01 19:40 dregad Resolution open => fixed
2014-11-01 19:40 dregad Fixed in Version => 1.2.18
2014-11-01 19:40 dregad Changeset attached => MantisBT master 5faf97ab
2014-11-01 19:42 dregad View Status private => public
2014-12-05 18:33 dregadmin Status resolved => closed