View Issue Details

IDProjectCategoryView StatusLast Update
0017939mantisbtsecuritypublic2015-01-27 04:48
ReporterhtbridgeAssigned Todregad 
PrioritynormalSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.2.17 
Target Version1.2.19Fixed in Version1.2.19 
Summary0017939: CVE-2014-9572: Improper Access Control in install.php
Description

The vulnerability exists due to insufficient access restrictions to the installation script "/[admin]/install.php" when HTTP GET "install" parameter is set to "4". A remote unauthenticated attacker can access the installation script and obtain database access credentials, which are stored in plain text in hidden form fields.

An attacker can use the following URL to access the page an obtain database credentials (login and password) in plaintext:

http://mantis/[admin]/install.php?install=4

Note, that "[admin]" in the URL is changed by default during installation. Therefore, the attacker must know the location of the administrative interface in order to perform the attack. However, admin panel URL can be bruteforced or predicted in many cases.

Additional Information

Advisory ID: HTB23243
Reference: https://www.htbridge.com/advisory/HTB23243 [^]

Original report in 0017937

TagsNo tags attached.

Relationships

related to 0017938 closeddregad CVE-2014-9571: XSS in install.php 
related to 0017940 closeddregad CVE-2014-9573: SQL Injection in manage_user_page.php 
has duplicate 0019273 closeddregad CVE-2014-9572: Improper Access Control in install.php 
child of 0017937 closeddregad MantisBT Security Vulnerability Notification (HTB23243) 

Activities

dregad

dregad

2014-12-28 07:04

developer  

0003-Install-disable-step-4-additional-config-info.patch (1,640 bytes)
From 692a9b9d2f87e6fd368f404be61aa8dc55cdfc2b Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Sun, 28 Dec 2014 12:29:51 +0100
Subject: [PATCH 3/3] Install: disable step 4 (additional config info)

This fixes a security issue allowing an attacker to access the
installation script and obtain database access credentials.

Since the offending install step does not seem to be doing anything
useful, the corresponding code block has been commented out.

This vulnerability was reported by High-Tech Bridge Security Research
Lab (https://www.htbridge.com/) in issue #17937 (advisory ID HTB23243).

Fixes #17939
---
 admin/install.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/admin/install.php b/admin/install.php
index 577a32d..77f6163 100644
--- a/admin/install.php
+++ b/admin/install.php
@@ -751,7 +751,12 @@ if( 3 == $t_install_state ) {
 # database installed, get any additional information
 if( 4 == $t_install_state ) {
 
-	/** @todo to be written */
+/*
+	# 20141227 dregad Disabling this step for now, because it does not seem to
+	# be doing anything useful and can be used to retrieve system information
+	# when the admin directory has not been deleted (see #17939).
+
+	# @todo to be written
 	// must post data gathered to preserve it
 	?>
 		<input name="hostname" type="hidden" value="<?php echo string_attribute( $f_hostname ) ?>"></input>
@@ -766,6 +771,7 @@ if( 4 == $t_install_state ) {
 <?php
 	# must post <input name="install" type="hidden" value="5"></input>
 	# rather than the following line
+*/
 	$t_install_state++;
 }  # end install_state == 4
 
-- 
1.9.1

dregad

dregad

2014-12-28 07:07

developer   ~0042066

Proposed patch attached for review

Related Changesets

MantisBT: master-1.2.x 5571bcf9

2014-12-28 06:29:51

dregad

Details Diff
Install: disable step 4 (additional config info)

This fixes a security issue allowing an attacker to access the
installation script and obtain database access credentials.

Since the offending install step does not seem to be doing anything
useful, the corresponding code block has been commented out.

This vulnerability (CVE-2014-9571) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

Fixes 0017939
mod - admin/install.php Diff File

MantisBT: master 5e5e5750

2014-12-28 06:29:51

dregad

Details Diff
Install: disable step 4 (additional config info)

This fixes a security issue allowing an attacker to access the
installation script and obtain database access credentials.

Since the offending install step does not seem to be doing anything
useful, the corresponding code block has been commented out.

This vulnerability (CVE-2014-9571) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

Fixes 0017939
mod - admin/install.php Diff File

Issue History

Date Modified Username Field Change
2014-12-03 15:04 dregad New Issue
2014-12-03 15:05 dregad Relationship added child of 0017937
2014-12-03 15:06 dregad Reporter dregad => htbridge
2014-12-05 18:34 dregadmin Target Version 1.2.18 => 1.2.19
2014-12-28 07:04 dregad Assigned To => dregad
2014-12-28 07:04 dregad Status new => assigned
2014-12-28 07:04 dregad File Added: 0003-Install-disable-step-4-additional-config-info.patch
2014-12-28 07:04 dregad Relationship added related to 0017938
2014-12-28 07:05 dregad Relationship added related to 0017940
2014-12-28 07:07 dregad Note Added: 0042066
2015-01-09 08:10 dregad Summary Improper Access Control in install.php => CVE-2014-9572: Improper Access Control in install.php
2015-01-09 08:24 dregad Changeset attached => MantisBT master-1.2.x 5571bcf9
2015-01-09 08:24 dregad Status assigned => resolved
2015-01-09 08:24 dregad Resolution open => fixed
2015-01-09 08:24 dregad Fixed in Version => 1.2.19
2015-01-09 08:24 dregad Changeset attached => MantisBT master 5e5e5750
2015-01-16 18:46 dregad View Status private => public
2015-01-25 18:17 dregadmin Status resolved => closed
2015-01-27 04:48 dregad Issue cloned: 0019273
2015-01-27 04:48 dregad Relationship added has duplicate 0019273