View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017938 | mantisbt | security | public | 2014-12-03 15:01 | 2015-01-27 04:49 |
Reporter | htbridge | Assigned To | dregad | ||
Priority | normal | Severity | major | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.17 | ||||
Target Version | 1.2.19 | Fixed in Version | 1.2.19 | ||
Summary | 0017938: CVE-2014-9571: XSS in install.php | ||||
Description | Vulnerabilities described in this section can be used by attackers to steal cookies of application’s administrator and other website users. Attackers can also perform spear phishing attacks against web site visitors by replacing original content of the web site with arbitrary HTML and script code, perform drive-by-download attacks by injecting malware into web pages, and bypass existing CSRF protection mechanism. 1.1 The vulnerability exists due to insufficient filtration of input data passed via the "admin_username" and "admin_password" HTTP GET parameters to "/[admin]/install.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. Below are two exploitation examples that use the "alert()" JavaScript function to display "immuniweb" word: http://mantis/[admin]/install.php?install=1&admin_username=1%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E Note, that "[admin]" in the URL is changed by default during MantisBT installation. Therefore, the attacker must know the location of the administrative interface in order to perform the attack. However, admin panel URL can be bruteforced or predicted in many cases. | ||||
Additional Information | Advisory ID: HTB23243 Original report in 0017937 | ||||
Tags | No tags attached. | ||||
Attached Files | 0002-Fix-XSS-in-install.php.patch (6,549 bytes)
From 563029e730792ceeb3ffb76782621bb8b8e8a29b Mon Sep 17 00:00:00 2001 From: Damien Regad <dregad@mantisbt.org> Date: Sat, 27 Dec 2014 18:47:58 +0100 Subject: [PATCH 2/3] Fix XSS in install.php This vulnerability was reported by High-Tech Bridge Security Research Lab (https://www.htbridge.com/) in issue #17937 (advisory ID HTB23243). The parameters are now properly sanitized before being displayed. Fixes #17938 --- admin/install.php | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/admin/install.php b/admin/install.php index bc8d613..577a32d 100644 --- a/admin/install.php +++ b/admin/install.php @@ -355,7 +355,7 @@ if( 2 == $t_install_state ) { # due to a bug in ADODB, this call prompts warnings, hence the @ # the check only works on mysql if the database is open $t_version_info = @$g_db->ServerInfo(); - echo '<br /> Running ' . $f_db_type . ' version ' . $t_version_info['description']; + echo '<br /> Running ' . string_attribute( $f_db_type ) . ' version ' . $t_version_info['description']; ?> </td> <?php @@ -444,7 +444,7 @@ if( !$g_database_upgrade ) {?> Hostname (for Database Server) </td> <td> - <input name="hostname" type="textbox" value="<?php echo $f_hostname?>"></input> + <input name="hostname" type="textbox" value="<?php echo string_attribute( $f_hostname ) ?>"></input> </td> </tr> <?php @@ -456,7 +456,7 @@ if( !$g_database_upgrade ) {?> Username (for Database) </td> <td> - <input name="db_username" type="textbox" value="<?php echo $f_db_username?>"></input> + <input name="db_username" type="textbox" value="<?php echo string_attribute( $f_db_username ) ?>"></input> </td> </tr> <?php @@ -480,7 +480,7 @@ if( !$g_database_upgrade ) {?> Database name (for Database) </td> <td> - <input name="database_name" type="textbox" value="<?php echo $f_database_name?>"></input> + <input name="database_name" type="textbox" value="<?php echo string_attribute( $f_database_name ) ?>"></input> </td> </tr> <?php @@ -491,7 +491,7 @@ if( !$g_database_upgrade ) {?> Admin Username (to <?php echo( !$g_database_upgrade ) ? 'create Database' : 'update Database'?> if required) </td> <td> - <input name="admin_username" type="textbox" value="<?php echo $f_admin_username?>"></input> + <input name="admin_username" type="textbox" value="<?php echo string_attribute( $f_admin_username ) ?>"></input> </td> </tr> @@ -500,7 +500,7 @@ if( !$g_database_upgrade ) {?> Admin Password (to <?php echo( !$g_database_upgrade ) ? 'create Database' : 'update Database'?> if required) </td> <td> - <input name="admin_password" type="password" value="<?php echo $f_admin_password?>"></input> + <input name="admin_password" type="password" value="<?php echo string_attribute( $f_admin_password ) ?>"></input> </td> </tr> @@ -754,13 +754,13 @@ if( 4 == $t_install_state ) { /** @todo to be written */ // must post data gathered to preserve it ?> - <input name="hostname" type="hidden" value="<?php echo $f_hostname?>"></input> - <input name="db_type" type="hidden" value="<?php echo $f_db_type?>"></input> - <input name="database_name" type="hidden" value="<?php echo $f_database_name?>"></input> - <input name="db_username" type="hidden" value="<?php echo $f_db_username?>"></input> - <input name="db_password" type="hidden" value="<?php echo $f_db_password?>"></input> - <input name="admin_username" type="hidden" value="<?php echo $f_admin_username?>"></input> - <input name="admin_password" type="hidden" value="<?php echo $f_admin_password?>"></input> + <input name="hostname" type="hidden" value="<?php echo string_attribute( $f_hostname ) ?>"></input> + <input name="db_type" type="hidden" value="<?php echo string_attribute( $f_db_type ) ?>"></input> + <input name="database_name" type="hidden" value="<?php echo string_attribute( $f_database_name ) ?>"></input> + <input name="db_username" type="hidden" value="<?php echo string_attribute( $f_db_username ) ?>"></input> + <input name="db_password" type="hidden" value="<?php echo string_attribute( $f_db_password ) ?>"></input> + <input name="admin_username" type="hidden" value="<?php echo string_attribute( $f_admin_username ) ?>"></input> + <input name="admin_password" type="hidden" value="<?php echo string_attribute( $f_admin_password ) ?>"></input> <input name="log_queries" type="hidden" value="<?php echo( $f_log_queries ? 1 : 0 )?>"></input> <input name="db_exists" type="hidden" value="<?php echo( $f_db_exists ? 1 : 0 )?>"></input> <?php @@ -986,14 +986,14 @@ if( $g_failed ) { <tr> <td bgcolor="#ffffff">Please correct failed checks</td> <td bgcolor="#ffffff"> - <input name="install" type="hidden" value="<?php echo $t_install_state?>"></input> - <input name="hostname" type="hidden" value="<?php echo $f_hostname?>"></input> - <input name="db_type" type="hidden" value="<?php echo $f_db_type?>"></input> - <input name="database_name" type="hidden" value="<?php echo $f_database_name?>"></input> - <input name="db_username" type="hidden" value="<?php echo $f_db_username?>"></input> - <input name="db_password" type="hidden" value="<?php echo $f_db_password?>"></input> - <input name="admin_username" type="hidden" value="<?php echo $f_admin_username?>"></input> - <input name="admin_password" type="hidden" value="<?php echo $f_admin_password?>"></input> + <input name="install" type="hidden" value="<?php echo $t_install_state ?>"></input> + <input name="hostname" type="hidden" value="<?php echo string_attribute( $f_hostname ) ?>"></input> + <input name="db_type" type="hidden" value="<?php echo string_attribute( $f_db_type ) ?>"></input> + <input name="database_name" type="hidden" value="<?php echo string_attribute( $f_database_name ) ?>"></input> + <input name="db_username" type="hidden" value="<?php echo string_attribute( $f_db_username ) ?>"></input> + <input name="db_password" type="hidden" value="<?php echo string_attribute( $f_db_password ) ?>"></input> + <input name="admin_username" type="hidden" value="<?php echo string_attribute( $f_admin_username ) ?>"></input> + <input name="admin_password" type="hidden" value="<?php echo string_attribute( $f_admin_password ) ?>"></input> <input name="log_queries" type="hidden" value="<?php echo( $f_log_queries ? 1 : 0 )?>"></input> <input name="db_exists" type="hidden" value="<?php echo( $f_db_exists ? 1 : 0 )?>"></input> <input name="retry" type="submit" class="button" value="Retry"></input> -- 1.9.1 | ||||
related to | 0017940 | closed | dregad | CVE-2014-9573: SQL Injection in manage_user_page.php |
has duplicate | 0019274 | closed | dregad | CVE-2014-9571: XSS in install.php |
related to | 0017939 | closed | dregad | CVE-2014-9572: Improper Access Control in install.php |
child of | 0017937 | closed | dregad | MantisBT Security Vulnerability Notification (HTB23243) |
MantisBT: master-1.2.x 6d47c047 2014-12-27 07:47 Details Diff |
Fix XSS in install.php This vulnerability (CVE-2014-9571) was reported by High-Tech Bridge Security Research Lab (https://www.htbridge.com/) in issue 0017937 (advisory ID HTB23243). The parameters are now properly sanitized before being displayed. Fixes 0017938 |
Affected Issues 0017937, 0017938 |
|
mod - admin/install.php | Diff File | ||
MantisBT: master 132cd6d0 2014-12-27 07:47 Details Diff |
Fix XSS in install.php This vulnerability (CVE-2014-9571) was reported by High-Tech Bridge Security Research Lab (https://www.htbridge.com/) in issue 0017937 (advisory ID HTB23243). The parameters are now properly sanitized before being displayed. Fixes 0017938 |
Affected Issues 0017937, 0017938, 0019274 |
|
mod - admin/install.php | Diff File |