View Issue Details

IDProjectCategoryView StatusLast Update
0017812mantisbtapi soappublic2014-12-05 18:33
Reporteredwingozeling Assigned Todregad  
PriorityurgentSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.17 
Target Version1.2.18Fixed in Version1.2.18 
Summary0017812: CVE-2014-8554: SQL injection in SOAP API
Description

CVE-2014-1609 mentions several SQL injection vulnerabilities. According to https://github.com/mantisbt/mantisbt/commit/7efe0175f0853e18ebfacedfd2374c4179028b3f one of the fixes is in function mc_project_get_attachments of api/soap/mc_project_api.php.

Strange enough, line 711 is left untouched:
WHERE pft.project_id in (" . implode( ',', $t_projects ) . ") AND

When the project_id parameter of the SOAP-request starts with the integer of a project to which the user (or anonymous) is authorised, the ENTIRE value will become the first item of $t_projects. As this value is concatenated in the SQL statement, SQL-injection becomes possible.

Please note that, while the parameter is passed to both project_exists() and mci_has_readonly_access(), both functions convert the parameter to an integer before validating it. The original value will remain unaltered.

Steps To Reproduce
  1. Make a clean installation of mantisbt 1.2.17
  2. Create a project
  3. Add the following configuration:
    $g_allow_anonymous_login = ON;
    $g_anonymous_account = 'anonymous';
    $g_enable_project_documentation = ON;
  4. Create two projects
  5. Go to proj_doc_page.php to add a document to each newly created projects.
  6. Issue regular SOAP calls to mc_project_get_attachments and verify the presence of your attachments.
  7. Modify the project_id parameter at will to perform the injection.
Additional Information

Some possible values:

1) Return attachments to project 1 only
<project_id xsi:type="xsd:string">1) OR pft.project_id IN(CASE WHEN 1=1 THEN 1 ELSE 2 END</project_id>

2) Return attachments to project 1 and 2
<project_id xsi:type="xsd:string">1) OR pft.project_id IN(CASE WHEN 1=2 THEN 1 ELSE 2 END</project_id>

3) Return an <SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server With an SQL error as fault string (may vary due to PHP settings)
<project_id xsi:type="xsd:string">1) O pft.project_id IN(CASE WHEN 1=2 THEN 1 ELSE 2 END</project_id>

TagsNo tags attached.
Attached Files
0001-CVE-2014-XXXX-SQL-injection-in-mc_project_get_attach.patch (1,198 bytes)   
From bc5078a09cd91ae31738628e3be52554f03841fb Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Thu, 30 Oct 2014 15:31:36 +0100
Subject: [PATCH] CVE-2014-XXXX: SQL injection in mc_project_get_attachments()

This is a follow-up on CVE-2014-1609 / issue #16880.

Edwin Gozeling and Wim Visser from ITsec Security Services BV
(http://www.itsec.nl) discovered that the fix in #16880 did not fully
address the problem. Their research demonstrate that using a specially
crafted project id parameter, an attacker could still perform an SQL
injection.

This patches fixes the problem by typecasting the Project ID parameter
to Integer.

Fixes #17812
---
 api/soap/mc_project_api.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/api/soap/mc_project_api.php b/api/soap/mc_project_api.php
index 252e31b..c50c947 100644
--- a/api/soap/mc_project_api.php
+++ b/api/soap/mc_project_api.php
@@ -680,6 +680,7 @@ function mc_project_get_attachments( $p_username, $p_password, $p_project_id ) {
 		return mci_soap_fault_login_failed();
 	}
 
+	$p_project_id = (int)$p_project_id;
 	$g_project_override = $p_project_id;
 
 	# Check if project documentation feature is enabled.
-- 
2.1.1

Relationships

related to 0016880 closeddregad CVE-2014-1609: SQL injection vulnerabilities 
has duplicate 0017823 closeddregad CVE-2014-8554 - SQL injection vulnerability in SOAP API 

Activities

edwingozeling

edwingozeling

2014-10-29 15:26

reporter   ~0041708

For more information, please contact me or my colleague:
Edwin Gozeling <e.gozeling@itsec.nl>
Wim Visser <w.visser@itsec.nl>

dregad

dregad

2014-10-30 04:02

developer   ~0041713

Many thanks for the bug report, we'll look into it and get back to you ASAP.

dregad

dregad

2014-10-30 12:08

developer   ~0041714

Last edited: 2014-10-30 12:10

Dear Edwin and Wim,

I believe I have fixed the issue you've dicovered. Could you kindly test the attached patch and confirm that it does indeed resolve it ?

Thanks in advance

PS: with your confirmation, I'll request a CVE ID for the issue (giving you credit for the finding of course). Would you like to review the message before I send it ?

edwingozeling

edwingozeling

2014-10-30 13:16

reporter   ~0041715

Dear Dregad,

the patch does indeed resolve the vulnerability.

The implode() within an SQL-statement is used more often in the code, are the other instances validated as well?

A quick search

grep -r "WHERE" . | grep "implode("
already reveals 21 instances

dregad

dregad

2014-10-30 16:46

developer   ~0041717

Last edited: 2014-10-30 19:47

CVE-2014-8554 was assigned as part of duplicate issue 0017823

Related Changesets

MantisBT: master-1.2.x 99ffb0af

2014-10-30 06:31

dregad


Details Diff
SQL injection in mc_project_get_attachments()

This is a follow-up on CVE-2014-1609 / issue 0016880.

Edwin Gozeling and Wim Visser from ITsec Security Services BV
(http://www.itsec.nl) discovered that the fix in 0016880 did not fully
address the problem. Their research demonstrate that using a specially
crafted project id parameter, an attacker could still perform an SQL
injection.

The same issue was also reported by Paul Richards in issue 0017823.

This patch fixes the problem by typecasting the Project ID parameter
to Integer.

Fixes 0017812, CVE-2014-8554
Affected Issues
0016880, 0017812, 0017823
mod - api/soap/mc_project_api.php Diff File

MantisBT: master 5faf97ab

2014-10-30 06:31

dregad


Details Diff
SQL injection in mc_project_get_attachments()

This is a follow-up on CVE-2014-1609 / issue 0016880.

Edwin Gozeling and Wim Visser from ITsec Security Services BV
(http://www.itsec.nl) discovered that the fix in 0016880 did not fully
address the problem. Their research demonstrate that using a specially
crafted project id parameter, an attacker could still perform an SQL
injection.

The same issue was also reported by Paul Richards in issue 0017823.

This patch fixes the problem by typecasting the Project ID parameter
to Integer.

Fixes 0017812, CVE-2014-8554
Affected Issues
0016880, 0017812, 0017823
mod - api/soap/mc_project_api.php Diff File