Anonymous Login
2016-09-25 03:12 EDT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ]
IDProjectCategoryView StatusLast Update
0017812mantisbtapi soappublic2014-12-05 18:33
Reporteredwingozeling 
Assigned Todregad 
PriorityurgentSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
Product Version1.2.17 
Target Version1.2.18Fixed in Version1.2.18 
Summary0017812: CVE-2014-8554: SQL injection in SOAP API
DescriptionCVE-2014-1609 mentions several SQL injection vulnerabilities. According to https://github.com/mantisbt/mantisbt/commit/7efe0175f0853e18ebfacedfd2374c4179028b3f one of the fixes is in function mc_project_get_attachments of api/soap/mc_project_api.php.

Strange enough, line 711 is left untouched:
 WHERE pft.project_id in (" . implode( ',', $t_projects ) . ") AND

When the project_id parameter of the SOAP-request starts with the integer of a project to which the user (or anonymous) is authorised, the ENTIRE value will become the first item of $t_projects. As this value is concatenated in the SQL statement, SQL-injection becomes possible.

Please note that, while the parameter is passed to both project_exists() and mci_has_readonly_access(), both functions convert the parameter to an integer before validating it. The original value will remain unaltered.
 
Steps To Reproduce1. Make a clean installation of mantisbt 1.2.17
2. Create a project
3. Add the following configuration:
    $g_allow_anonymous_login = ON;
    $g_anonymous_account = 'anonymous';
    $g_enable_project_documentation = ON;
4. Create two projects
5. Go to proj_doc_page.php to add a document to each newly created projects.
6. Issue regular SOAP calls to mc_project_get_attachments and verify the presence of your attachments.
7. Modify the project_id parameter at will to perform the injection.
Additional InformationSome possible values:

1) Return attachments to project 1 only
<project_id xsi:type="xsd:string">1) OR pft.project_id IN(CASE WHEN 1=1 THEN 1 ELSE 2 END</project_id>

2) Return attachments to project 1 and 2
<project_id xsi:type="xsd:string">1) OR pft.project_id IN(CASE WHEN 1=2 THEN 1 ELSE 2 END</project_id>

3) Return an <SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server With an SQL error as fault string (may vary due to PHP settings)
<project_id xsi:type="xsd:string">1) O pft.project_id IN(CASE WHEN 1=2 THEN 1 ELSE 2 END</project_id>
TagsNo tags attached.
Attached Files
  • patch file icon 0001-CVE-2014-XXXX-SQL-injection-in-mc_project_get_attach.patch (1,198 bytes) 2014-10-30 11:59 -
    From bc5078a09cd91ae31738628e3be52554f03841fb Mon Sep 17 00:00:00 2001
    From: Damien Regad <dregad@mantisbt.org>
    Date: Thu, 30 Oct 2014 15:31:36 +0100
    Subject: [PATCH] CVE-2014-XXXX: SQL injection in mc_project_get_attachments()
    
    This is a follow-up on CVE-2014-1609 / issue #16880.
    
    Edwin Gozeling and Wim Visser from ITsec Security Services BV
    (http://www.itsec.nl) discovered that the fix in #16880 did not fully
    address the problem. Their research demonstrate that using a specially
    crafted project id parameter, an attacker could still perform an SQL
    injection.
    
    This patches fixes the problem by typecasting the Project ID parameter
    to Integer.
    
    Fixes #17812
    ---
     api/soap/mc_project_api.php | 1 +
     1 file changed, 1 insertion(+)
    
    diff --git a/api/soap/mc_project_api.php b/api/soap/mc_project_api.php
    index 252e31b..c50c947 100644
    --- a/api/soap/mc_project_api.php
    +++ b/api/soap/mc_project_api.php
    @@ -680,6 +680,7 @@ function mc_project_get_attachments( $p_username, $p_password, $p_project_id ) {
     		return mci_soap_fault_login_failed();
     	}
     
    +	$p_project_id = (int)$p_project_id;
     	$g_project_override = $p_project_id;
     
     	# Check if project documentation feature is enabled.
    -- 
    2.1.1
    
    

-Relationships
related to 0016880closeddregad CVE-2014-1609: SQL injection vulnerabilities 
+Relationships

-Notes
edwingozeling

~0041708

edwingozeling (reporter)

For more information, please contact me or my colleague:
Edwin Gozeling <e.gozeling@itsec.nl>
Wim Visser <w.visser@itsec.nl>
dregad

~0041713

dregad (developer)

Many thanks for the bug report, we'll look into it and get back to you ASAP.
dregad

~0041714

dregad (developer)

Last edited: 2014-10-30 12:10

View 2 revisions

Dear Edwin and Wim,

I believe I have fixed the issue you've dicovered. Could you kindly test the attached patch and confirm that it does indeed resolve it ?

Thanks in advance

PS: with your confirmation, I'll request a CVE ID for the issue (giving you credit for the finding of course). Would you like to review the message before I send it ?

edwingozeling

~0041715

edwingozeling (reporter)

Dear Dregad,

the patch does indeed resolve the vulnerability.

The implode() within an SQL-statement is used more often in the code, are the other instances validated as well?

A quick search
> grep -r "WHERE" . | grep "implode("
already reveals 21 instances
dregad

~0041717

dregad (developer)

Last edited: 2014-10-30 19:47

View 2 revisions

CVE-2014-8554 was assigned as part of duplicate issue #17823

+Notes

+Related Changesets

-Issue History
Date Modified Username Field Change
2014-10-29 15:24 edwingozeling New Issue
2014-10-29 15:26 edwingozeling Note Added: 0041708
2014-10-30 04:02 dregad Note Added: 0041713
2014-10-30 04:02 dregad Status new => acknowledged
2014-10-30 04:02 dregad Target Version => 1.2.18
2014-10-30 04:02 dregad Description Updated View Revisions
2014-10-30 04:05 dregad Relationship added related to 0016880
2014-10-30 11:59 dregad File Added: 0001-CVE-2014-XXXX-SQL-injection-in-mc_project_get_attach.patch
2014-10-30 12:00 dregad Assigned To => dregad
2014-10-30 12:00 dregad Status acknowledged => assigned
2014-10-30 12:08 dregad Note Added: 0041714
2014-10-30 12:08 dregad Status assigned => feedback
2014-10-30 12:10 dregad Note Edited: 0041714 View Revisions
2014-10-30 13:16 edwingozeling Note Added: 0041715
2014-10-30 13:16 edwingozeling Status feedback => assigned
2014-10-30 16:46 dregad Note Added: 0041717
2014-10-30 19:47 dregad Note Edited: 0041717 View Revisions
2014-11-01 12:56 dregad Summary SQL-injection in /api/soap, Fix for CVE-2014-1609 incomplete => CVE-2014-8554: SQL injection in SOAP API
2014-11-01 19:40 dregad Changeset attached => MantisBT master-1.2.x 99ffb0af
2014-11-01 19:40 dregad Status assigned => resolved
2014-11-01 19:40 dregad Resolution open => fixed
2014-11-01 19:40 dregad Fixed in Version => 1.2.18
2014-11-01 19:40 dregad Changeset attached => MantisBT master 5faf97ab
2014-11-01 19:42 dregad View Status private => public
2014-12-05 18:33 dregadmin Status resolved => closed
+Issue History