View Issue Details

IDProjectCategoryView StatusLast Update
0017938mantisbtsecuritypublic2015-01-27 04:49
ReporterhtbridgeAssigned Todregad 
PrioritynormalSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.2.17 
Target Version1.2.19Fixed in Version1.2.19 
Summary0017938: CVE-2014-9571: XSS in install.php
Description

Vulnerabilities described in this section can be used by attackers to steal cookies of application’s administrator and other website users. Attackers can also perform spear phishing attacks against web site visitors by replacing original content of the web site with arbitrary HTML and script code, perform drive-by-download attacks by injecting malware into web pages, and bypass existing CSRF protection mechanism.

1.1 The vulnerability exists due to insufficient filtration of input data passed via the "admin_username" and "admin_password" HTTP GET parameters to "/[admin]/install.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

Below are two exploitation examples that use the "alert()" JavaScript function to display "immuniweb" word:

http://mantis/[admin]/install.php?install=1&admin_username=1%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://mantis/[admin]/install.php?install=1&admin_password=1%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E

Note, that "[admin]" in the URL is changed by default during MantisBT installation. Therefore, the attacker must know the location of the administrative interface in order to perform the attack. However, admin panel URL can be bruteforced or predicted in many cases.

Additional Information

Advisory ID: HTB23243
Reference: https://www.htbridge.com/advisory/HTB23243

Original report in 0017937

TagsNo tags attached.

Relationships

related to 0017940 closeddregad CVE-2014-9573: SQL Injection in manage_user_page.php 
has duplicate 0019274 closeddregad CVE-2014-9571: XSS in install.php 
related to 0017939 closeddregad CVE-2014-9572: Improper Access Control in install.php 
child of 0017937 closeddregad MantisBT Security Vulnerability Notification (HTB23243) 

Activities

dregad

dregad

2014-12-28 07:06

developer  

0002-Fix-XSS-in-install.php.patch (6,549 bytes)
From 563029e730792ceeb3ffb76782621bb8b8e8a29b Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Sat, 27 Dec 2014 18:47:58 +0100
Subject: [PATCH 2/3] Fix XSS in install.php

This vulnerability was reported by High-Tech Bridge Security Research
Lab (https://www.htbridge.com/) in issue #17937 (advisory ID HTB23243).

The parameters are now properly sanitized before being displayed.

Fixes #17938
---
 admin/install.php | 42 +++++++++++++++++++++---------------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/admin/install.php b/admin/install.php
index bc8d613..577a32d 100644
--- a/admin/install.php
+++ b/admin/install.php
@@ -355,7 +355,7 @@ if( 2 == $t_install_state ) {
 		# due to a bug in ADODB, this call prompts warnings, hence the @
 		# the check only works on mysql if the database is open
 		$t_version_info = @$g_db->ServerInfo();
-		echo '<br /> Running ' . $f_db_type . ' version ' . $t_version_info['description'];
+		echo '<br /> Running ' . string_attribute( $f_db_type ) . ' version ' . $t_version_info['description'];
 		?>
 	</td>
 	<?php
@@ -444,7 +444,7 @@ if( !$g_database_upgrade ) {?>
 		Hostname (for Database Server)
 	</td>
 	<td>
-		<input name="hostname" type="textbox" value="<?php echo $f_hostname?>"></input>
+		<input name="hostname" type="textbox" value="<?php echo string_attribute( $f_hostname ) ?>"></input>
 	</td>
 </tr>
 <?php
@@ -456,7 +456,7 @@ if( !$g_database_upgrade ) {?>
 		Username (for Database)
 	</td>
 	<td>
-		<input name="db_username" type="textbox" value="<?php echo $f_db_username?>"></input>
+		<input name="db_username" type="textbox" value="<?php echo string_attribute( $f_db_username ) ?>"></input>
 	</td>
 </tr>
 <?php
@@ -480,7 +480,7 @@ if( !$g_database_upgrade ) {?>
 		Database name (for Database)
 	</td>
 	<td>
-		<input name="database_name" type="textbox" value="<?php echo $f_database_name?>"></input>
+		<input name="database_name" type="textbox" value="<?php echo string_attribute( $f_database_name ) ?>"></input>
 	</td>
 </tr>
 <?php
@@ -491,7 +491,7 @@ if( !$g_database_upgrade ) {?>
 		Admin Username (to <?php echo( !$g_database_upgrade ) ? 'create Database' : 'update Database'?> if required)
 	</td>
 	<td>
-		<input name="admin_username" type="textbox" value="<?php echo $f_admin_username?>"></input>
+		<input name="admin_username" type="textbox" value="<?php echo string_attribute( $f_admin_username ) ?>"></input>
 	</td>
 </tr>
 
@@ -500,7 +500,7 @@ if( !$g_database_upgrade ) {?>
 		Admin Password (to <?php echo( !$g_database_upgrade ) ? 'create Database' : 'update Database'?> if required)
 	</td>
 	<td>
-		<input name="admin_password" type="password" value="<?php echo $f_admin_password?>"></input>
+		<input name="admin_password" type="password" value="<?php echo string_attribute( $f_admin_password ) ?>"></input>
 	</td>
 </tr>
 
@@ -754,13 +754,13 @@ if( 4 == $t_install_state ) {
 	/** @todo to be written */
 	// must post data gathered to preserve it
 	?>
-		<input name="hostname" type="hidden" value="<?php echo $f_hostname?>"></input>
-		<input name="db_type" type="hidden" value="<?php echo $f_db_type?>"></input>
-		<input name="database_name" type="hidden" value="<?php echo $f_database_name?>"></input>
-		<input name="db_username" type="hidden" value="<?php echo $f_db_username?>"></input>
-		<input name="db_password" type="hidden" value="<?php echo $f_db_password?>"></input>
-		<input name="admin_username" type="hidden" value="<?php echo $f_admin_username?>"></input>
-		<input name="admin_password" type="hidden" value="<?php echo $f_admin_password?>"></input>
+		<input name="hostname" type="hidden" value="<?php echo string_attribute( $f_hostname ) ?>"></input>
+		<input name="db_type" type="hidden" value="<?php echo string_attribute( $f_db_type ) ?>"></input>
+		<input name="database_name" type="hidden" value="<?php echo string_attribute( $f_database_name ) ?>"></input>
+		<input name="db_username" type="hidden" value="<?php echo string_attribute( $f_db_username ) ?>"></input>
+		<input name="db_password" type="hidden" value="<?php echo string_attribute( $f_db_password ) ?>"></input>
+		<input name="admin_username" type="hidden" value="<?php echo string_attribute( $f_admin_username ) ?>"></input>
+		<input name="admin_password" type="hidden" value="<?php echo string_attribute( $f_admin_password ) ?>"></input>
 		<input name="log_queries" type="hidden" value="<?php echo( $f_log_queries ? 1 : 0 )?>"></input>
 		<input name="db_exists" type="hidden" value="<?php echo( $f_db_exists ? 1 : 0 )?>"></input>
 <?php
@@ -986,14 +986,14 @@ if( $g_failed ) {
 <tr>
 	<td bgcolor="#ffffff">Please correct failed checks</td>
 	<td bgcolor="#ffffff">
-		<input name="install" type="hidden" value="<?php echo $t_install_state?>"></input>
-		<input name="hostname" type="hidden" value="<?php echo $f_hostname?>"></input>
-		<input name="db_type" type="hidden" value="<?php echo $f_db_type?>"></input>
-		<input name="database_name" type="hidden" value="<?php echo $f_database_name?>"></input>
-		<input name="db_username" type="hidden" value="<?php echo $f_db_username?>"></input>
-		<input name="db_password" type="hidden" value="<?php echo $f_db_password?>"></input>
-		<input name="admin_username" type="hidden" value="<?php echo $f_admin_username?>"></input>
-		<input name="admin_password" type="hidden" value="<?php echo $f_admin_password?>"></input>
+		<input name="install" type="hidden" value="<?php echo $t_install_state ?>"></input>
+		<input name="hostname" type="hidden" value="<?php echo string_attribute( $f_hostname ) ?>"></input>
+		<input name="db_type" type="hidden" value="<?php echo string_attribute( $f_db_type ) ?>"></input>
+		<input name="database_name" type="hidden" value="<?php echo string_attribute( $f_database_name ) ?>"></input>
+		<input name="db_username" type="hidden" value="<?php echo string_attribute( $f_db_username ) ?>"></input>
+		<input name="db_password" type="hidden" value="<?php echo string_attribute( $f_db_password ) ?>"></input>
+		<input name="admin_username" type="hidden" value="<?php echo string_attribute( $f_admin_username ) ?>"></input>
+		<input name="admin_password" type="hidden" value="<?php echo string_attribute( $f_admin_password ) ?>"></input>
 		<input name="log_queries" type="hidden" value="<?php echo( $f_log_queries ? 1 : 0 )?>"></input>
 		<input name="db_exists" type="hidden" value="<?php echo( $f_db_exists ? 1 : 0 )?>"></input>
 		<input name="retry" type="submit" class="button" value="Retry"></input>
-- 
1.9.1

dregad

dregad

2014-12-28 07:07

developer   ~0042065

Proposed patch attached for review

Related Changesets

MantisBT: master-1.2.x 6d47c047

2014-12-27 12:47:58

dregad

Details Diff
Fix XSS in install.php

This vulnerability (CVE-2014-9571) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

The parameters are now properly sanitized before being displayed.

Fixes 0017938
mod - admin/install.php Diff File

MantisBT: master 132cd6d0

2014-12-27 12:47:58

dregad

Details Diff
Fix XSS in install.php

This vulnerability (CVE-2014-9571) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

The parameters are now properly sanitized before being displayed.

Fixes 0017938
mod - admin/install.php Diff File

Issue History

Date Modified Username Field Change
2014-12-03 15:01 dregad New Issue
2014-12-03 15:03 dregad Reporter dregad => htbridge
2014-12-03 15:03 dregad Description Updated View Revisions
2014-12-03 15:05 dregad Relationship added child of 0017937
2014-12-05 18:34 dregadmin Target Version 1.2.18 => 1.2.19
2014-12-27 14:08 dregad Assigned To => dregad
2014-12-27 14:08 dregad Status new => assigned
2014-12-28 07:04 dregad Relationship added related to 0017939
2014-12-28 07:05 dregad Relationship added related to 0017940
2014-12-28 07:06 dregad File Added: 0002-Fix-XSS-in-install.php.patch
2014-12-28 07:07 dregad Note Added: 0042065
2015-01-09 08:09 dregad Summary XSS in install.php => CVE-2014-9571: XSS in install.php
2015-01-09 08:24 dregad Changeset attached => MantisBT master-1.2.x 6d47c047
2015-01-09 08:24 dregad Status assigned => resolved
2015-01-09 08:24 dregad Resolution open => fixed
2015-01-09 08:24 dregad Fixed in Version => 1.2.19
2015-01-09 08:24 dregad Changeset attached => MantisBT master 132cd6d0
2015-01-16 18:46 dregad View Status private => public
2015-01-25 18:17 dregadmin Status resolved => closed
2015-01-27 04:49 dregad Issue cloned: 0019274
2015-01-27 04:49 dregad Relationship added has duplicate 0019274