View Issue Details

IDProjectCategoryView StatusLast Update
0017938mantisbtsecuritypublic2015-01-27 04:49
Reporterhtbridge Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.2.17 
Target Version1.2.19Fixed in Version1.2.19 
Summary0017938: CVE-2014-9571: XSS in install.php
Description

Vulnerabilities described in this section can be used by attackers to steal cookies of application’s administrator and other website users. Attackers can also perform spear phishing attacks against web site visitors by replacing original content of the web site with arbitrary HTML and script code, perform drive-by-download attacks by injecting malware into web pages, and bypass existing CSRF protection mechanism.

1.1 The vulnerability exists due to insufficient filtration of input data passed via the "admin_username" and "admin_password" HTTP GET parameters to "/[admin]/install.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

Below are two exploitation examples that use the "alert()" JavaScript function to display "immuniweb" word:

http://mantis/[admin]/install.php?install=1&admin_username=1%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://mantis/[admin]/install.php?install=1&admin_password=1%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E

Note, that "[admin]" in the URL is changed by default during MantisBT installation. Therefore, the attacker must know the location of the administrative interface in order to perform the attack. However, admin panel URL can be bruteforced or predicted in many cases.

Additional Information

Advisory ID: HTB23243
Reference: https://www.htbridge.com/advisory/HTB23243

Original report in 0017937

TagsNo tags attached.
Attached Files
0002-Fix-XSS-in-install.php.patch (6,549 bytes)   
From 563029e730792ceeb3ffb76782621bb8b8e8a29b Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Sat, 27 Dec 2014 18:47:58 +0100
Subject: [PATCH 2/3] Fix XSS in install.php

This vulnerability was reported by High-Tech Bridge Security Research
Lab (https://www.htbridge.com/) in issue #17937 (advisory ID HTB23243).

The parameters are now properly sanitized before being displayed.

Fixes #17938
---
 admin/install.php | 42 +++++++++++++++++++++---------------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/admin/install.php b/admin/install.php
index bc8d613..577a32d 100644
--- a/admin/install.php
+++ b/admin/install.php
@@ -355,7 +355,7 @@ if( 2 == $t_install_state ) {
 		# due to a bug in ADODB, this call prompts warnings, hence the @
 		# the check only works on mysql if the database is open
 		$t_version_info = @$g_db->ServerInfo();
-		echo '<br /> Running ' . $f_db_type . ' version ' . $t_version_info['description'];
+		echo '<br /> Running ' . string_attribute( $f_db_type ) . ' version ' . $t_version_info['description'];
 		?>
 	</td>
 	<?php
@@ -444,7 +444,7 @@ if( !$g_database_upgrade ) {?>
 		Hostname (for Database Server)
 	</td>
 	<td>
-		<input name="hostname" type="textbox" value="<?php echo $f_hostname?>"></input>
+		<input name="hostname" type="textbox" value="<?php echo string_attribute( $f_hostname ) ?>"></input>
 	</td>
 </tr>
 <?php
@@ -456,7 +456,7 @@ if( !$g_database_upgrade ) {?>
 		Username (for Database)
 	</td>
 	<td>
-		<input name="db_username" type="textbox" value="<?php echo $f_db_username?>"></input>
+		<input name="db_username" type="textbox" value="<?php echo string_attribute( $f_db_username ) ?>"></input>
 	</td>
 </tr>
 <?php
@@ -480,7 +480,7 @@ if( !$g_database_upgrade ) {?>
 		Database name (for Database)
 	</td>
 	<td>
-		<input name="database_name" type="textbox" value="<?php echo $f_database_name?>"></input>
+		<input name="database_name" type="textbox" value="<?php echo string_attribute( $f_database_name ) ?>"></input>
 	</td>
 </tr>
 <?php
@@ -491,7 +491,7 @@ if( !$g_database_upgrade ) {?>
 		Admin Username (to <?php echo( !$g_database_upgrade ) ? 'create Database' : 'update Database'?> if required)
 	</td>
 	<td>
-		<input name="admin_username" type="textbox" value="<?php echo $f_admin_username?>"></input>
+		<input name="admin_username" type="textbox" value="<?php echo string_attribute( $f_admin_username ) ?>"></input>
 	</td>
 </tr>
 
@@ -500,7 +500,7 @@ if( !$g_database_upgrade ) {?>
 		Admin Password (to <?php echo( !$g_database_upgrade ) ? 'create Database' : 'update Database'?> if required)
 	</td>
 	<td>
-		<input name="admin_password" type="password" value="<?php echo $f_admin_password?>"></input>
+		<input name="admin_password" type="password" value="<?php echo string_attribute( $f_admin_password ) ?>"></input>
 	</td>
 </tr>
 
@@ -754,13 +754,13 @@ if( 4 == $t_install_state ) {
 	/** @todo to be written */
 	// must post data gathered to preserve it
 	?>
-		<input name="hostname" type="hidden" value="<?php echo $f_hostname?>"></input>
-		<input name="db_type" type="hidden" value="<?php echo $f_db_type?>"></input>
-		<input name="database_name" type="hidden" value="<?php echo $f_database_name?>"></input>
-		<input name="db_username" type="hidden" value="<?php echo $f_db_username?>"></input>
-		<input name="db_password" type="hidden" value="<?php echo $f_db_password?>"></input>
-		<input name="admin_username" type="hidden" value="<?php echo $f_admin_username?>"></input>
-		<input name="admin_password" type="hidden" value="<?php echo $f_admin_password?>"></input>
+		<input name="hostname" type="hidden" value="<?php echo string_attribute( $f_hostname ) ?>"></input>
+		<input name="db_type" type="hidden" value="<?php echo string_attribute( $f_db_type ) ?>"></input>
+		<input name="database_name" type="hidden" value="<?php echo string_attribute( $f_database_name ) ?>"></input>
+		<input name="db_username" type="hidden" value="<?php echo string_attribute( $f_db_username ) ?>"></input>
+		<input name="db_password" type="hidden" value="<?php echo string_attribute( $f_db_password ) ?>"></input>
+		<input name="admin_username" type="hidden" value="<?php echo string_attribute( $f_admin_username ) ?>"></input>
+		<input name="admin_password" type="hidden" value="<?php echo string_attribute( $f_admin_password ) ?>"></input>
 		<input name="log_queries" type="hidden" value="<?php echo( $f_log_queries ? 1 : 0 )?>"></input>
 		<input name="db_exists" type="hidden" value="<?php echo( $f_db_exists ? 1 : 0 )?>"></input>
 <?php
@@ -986,14 +986,14 @@ if( $g_failed ) {
 <tr>
 	<td bgcolor="#ffffff">Please correct failed checks</td>
 	<td bgcolor="#ffffff">
-		<input name="install" type="hidden" value="<?php echo $t_install_state?>"></input>
-		<input name="hostname" type="hidden" value="<?php echo $f_hostname?>"></input>
-		<input name="db_type" type="hidden" value="<?php echo $f_db_type?>"></input>
-		<input name="database_name" type="hidden" value="<?php echo $f_database_name?>"></input>
-		<input name="db_username" type="hidden" value="<?php echo $f_db_username?>"></input>
-		<input name="db_password" type="hidden" value="<?php echo $f_db_password?>"></input>
-		<input name="admin_username" type="hidden" value="<?php echo $f_admin_username?>"></input>
-		<input name="admin_password" type="hidden" value="<?php echo $f_admin_password?>"></input>
+		<input name="install" type="hidden" value="<?php echo $t_install_state ?>"></input>
+		<input name="hostname" type="hidden" value="<?php echo string_attribute( $f_hostname ) ?>"></input>
+		<input name="db_type" type="hidden" value="<?php echo string_attribute( $f_db_type ) ?>"></input>
+		<input name="database_name" type="hidden" value="<?php echo string_attribute( $f_database_name ) ?>"></input>
+		<input name="db_username" type="hidden" value="<?php echo string_attribute( $f_db_username ) ?>"></input>
+		<input name="db_password" type="hidden" value="<?php echo string_attribute( $f_db_password ) ?>"></input>
+		<input name="admin_username" type="hidden" value="<?php echo string_attribute( $f_admin_username ) ?>"></input>
+		<input name="admin_password" type="hidden" value="<?php echo string_attribute( $f_admin_password ) ?>"></input>
 		<input name="log_queries" type="hidden" value="<?php echo( $f_log_queries ? 1 : 0 )?>"></input>
 		<input name="db_exists" type="hidden" value="<?php echo( $f_db_exists ? 1 : 0 )?>"></input>
 		<input name="retry" type="submit" class="button" value="Retry"></input>
-- 
1.9.1

Relationships

related to 0017940 closeddregad CVE-2014-9573: SQL Injection in manage_user_page.php 
has duplicate 0019274 closeddregad CVE-2014-9571: XSS in install.php 
related to 0017939 closeddregad CVE-2014-9572: Improper Access Control in install.php 
child of 0017937 closeddregad MantisBT Security Vulnerability Notification (HTB23243) 

Activities

dregad

dregad

2014-12-28 07:07

developer   ~0042065

Proposed patch attached for review

Related Changesets

MantisBT: master-1.2.x 6d47c047

2014-12-27 07:47

dregad


Details Diff
Fix XSS in install.php

This vulnerability (CVE-2014-9571) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

The parameters are now properly sanitized before being displayed.

Fixes 0017938
Affected Issues
0017937, 0017938
mod - admin/install.php Diff File

MantisBT: master 132cd6d0

2014-12-27 07:47

dregad


Details Diff
Fix XSS in install.php

This vulnerability (CVE-2014-9571) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

The parameters are now properly sanitized before being displayed.

Fixes 0017938
Affected Issues
0017937, 0017938, 0019274
mod - admin/install.php Diff File