View Issue Details

IDProjectCategoryView StatusLast Update
0017940mantisbtsecuritypublic2015-01-27 04:50
ReporterhtbridgeAssigned Todregad 
PrioritynormalSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.2.17 
Target Version1.2.19Fixed in Version1.2.19 
Summary0017940: CVE-2014-9573: SQL Injection in manage_user_page.php
Description

The vulnerability can be used to manipulate existing SQL queries. An attacker can obtain potentially sensitive data and use it to elevate privileges within the application. It is also possible for certain configurations to upload a backdoor and gain complete access to the webserver or website.

3.1 The vulnerability exists due to insufficient filtration of the "MANTIS_MANAGE_USERS_COOKIE" HTTP COOKIE in "/manage_user_page.php" script. A remote user with administrative privileges can inject and execute arbitrary SQL code within the application’s database.

The exploit code below modifies the SQL query and injects malicious "INTO OUTFILE" statement. As a result,current MySQL user login will be written into the "/var/www/file.txt" file:

GET /manage_user_page.php?hideinactive=0 HTTP/1.1
Host: mantis
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: MANTIS_MANAGE_USERS_COOKIE=0%3Ausername%20INTO%20OUTFILE%20%27/var/www/file.txt%27%20--%20%3A1%3A0
Connection: keep-alive

Successful exploitation requires that the MySQL account has FILE privileges within the database.

To exploit this vulnerability an attacker must create a specially crafted cookie for the application administrator. This can be achieved using XSS vulnerabilities, described in paragraphs 1.1 – 1.3 of this advisory.

Additional Information

Advisory ID: HTB23243
Reference: https://www.htbridge.com/advisory/HTB23243

Original report in 0017937

TagsNo tags attached.

Relationships

has duplicate 0019277 closeddregad CVE-2014-9573: SQL Injection in manage_user_page.php 
related to 0017939 closeddregad CVE-2014-9572: Improper Access Control in install.php 
related to 0017938 closeddregad CVE-2014-9571: XSS in install.php 
child of 0017937 closeddregad MantisBT Security Vulnerability Notification (HTB23243) 

Activities

dregad

dregad

2014-12-28 07:06

developer  

0001-Fix-SQL-injection-in-manage_user_page.php.patch (3,523 bytes)
From 5eda2d414e13b7685bd1bb81791872d72c2a0f26 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Sat, 27 Dec 2014 18:34:25 +0100
Subject: [PATCH 1/3] Fix SQL injection in manage_user_page.php

This vulnerability was reported by High-Tech Bridge Security Research
Lab (https://www.htbridge.com/) in issue #17937 (advisory ID HTB23243).

To avoid injection, the parameters we get from the cookie are now
properly sanitized before being used in the SQL query.

Fixes #17940
---
 manage_user_page.php | 67 +++++++++++++++++++++++++++-------------------------
 1 file changed, 35 insertions(+), 32 deletions(-)

diff --git a/manage_user_page.php b/manage_user_page.php
index 0f964b5..c7c054a 100644
--- a/manage_user_page.php
+++ b/manage_user_page.php
@@ -31,19 +31,46 @@
 
 	access_ensure_global_level( config_get( 'manage_user_threshold' ) );
 
-	$f_sort          = gpc_get_string( 'sort', 'username' );
-	$f_dir           = gpc_get_string( 'dir', 'ASC' );
-	$f_hide_inactive = gpc_get_bool( 'hideinactive' );
-	$f_show_disabled = gpc_get_bool( 'showdisabled' );
-	$f_save          = gpc_get_bool( 'save' );
-	$f_filter        = utf8_strtoupper( gpc_get_string( 'filter', config_get( 'default_manage_user_prefix' ) ) );
-	$f_page_number   = gpc_get_int( 'page_number', 1 );
-
 	$t_user_table = db_get_table( 'mantis_user_table' );
 	$t_cookie_name = config_get( 'manage_users_cookie' );
 	$t_lock_image = '<img src="' . config_get( 'icon_path' ) . 'protected.gif" width="8" height="15" border="0" alt="' . lang_get( 'protected' ) . '" />';
 	$c_filter = '';
 
+	$f_save          = gpc_get_bool( 'save' );
+	$f_filter        = utf8_strtoupper( gpc_get_string( 'filter', config_get( 'default_manage_user_prefix' ) ) );
+	$f_page_number   = gpc_get_int( 'page_number', 1 );
+
+	if( !$f_save && !is_blank( gpc_get_cookie( $t_cookie_name, '' ) ) ) {
+		$t_manage_arr = explode( ':', gpc_get_cookie( $t_cookie_name ) );
+
+		# Hide Inactive
+		$f_hide_inactive = (bool)$t_manage_arr[0];
+
+		# Sort field
+		if ( isset( $t_manage_arr[1] ) ) {
+			$f_sort = $t_manage_arr[1];
+		} else {
+			$f_sort = 'username';
+		}
+
+		# Sort order
+		if ( isset( $t_manage_arr[2] ) ) {
+			$f_dir = $t_manage_arr[2];
+		} else {
+			$f_dir = 'DESC';
+		}
+
+		# Show Disabled
+		if ( isset( $t_manage_arr[3] ) ) {
+			$f_show_disabled = $t_manage_arr[3];
+		}
+	} else {
+		$f_sort          = gpc_get_string( 'sort', 'username' );
+		$f_dir           = gpc_get_string( 'dir', 'ASC' );
+		$f_hide_inactive = gpc_get_bool( 'hideinactive' );
+		$f_show_disabled = gpc_get_bool( 'showdisabled' );
+	}
+
 	# Clean up the form variables
 	if ( !db_field_exists( $f_sort, $t_user_table ) ) {
 		$c_sort = 'username';
@@ -65,30 +92,6 @@
 	if ( $f_save ) {
 		$t_manage_string = $c_hide_inactive.':'.$c_sort.':'.$c_dir.':'.$c_show_disabled;
 		gpc_set_cookie( $t_cookie_name, $t_manage_string, true );
-	} else if ( !is_blank( gpc_get_cookie( $t_cookie_name, '' ) ) ) {
-		$t_manage_arr = explode( ':', gpc_get_cookie( $t_cookie_name ) );
-
-		# Hide Inactive
-		$c_hide_inactive = $t_manage_arr[0];
-
-		# Sort field
-		if ( isset( $t_manage_arr[1] ) ) {
-			$c_sort = $t_manage_arr[1];
-		} else {
-			$c_sort = 'username';
-		}
-
-		# Sort order
-		if ( isset( $t_manage_arr[2] ) ) {
-			$c_dir  = $t_manage_arr[2];
-		} else {
-			$c_dir = 'DESC';
-		}
-
-		# Show Disabled
-		if ( isset( $t_manage_arr[3] ) ) {
-			$c_show_disabled = $t_manage_arr[3];
-		}
 	}
 
 	html_page_top( lang_get( 'manage_users_link' ) );
-- 
1.9.1

dregad

dregad

2014-12-28 07:07

developer   ~0042064

Proposed patch attached for review

Related Changesets

MantisBT: master-1.2.x 69c2d28d

2014-12-27 12:34:25

dregad

Details Diff
Fix SQL injection in manage_user_page.php

This vulnerability (CVE-2014-9573) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

To avoid injection, the parameters we get from the cookie are now
properly sanitized before being used in the SQL query.

Fixes 0017940
mod - manage_user_page.php Diff File

MantisBT: master 7cc4539f

2014-12-27 12:34:25

dregad

Details Diff
Fix SQL injection in manage_user_page.php

This vulnerability (CVE-2014-9573) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

To avoid injection, the parameters we get from the cookie are now
properly sanitized before being used in the SQL query.

Fixes 0017940
mod - manage_user_page.php Diff File

Issue History

Date Modified Username Field Change
2014-12-03 15:05 dregad New Issue
2014-12-03 15:05 dregad Relationship added child of 0017937
2014-12-03 15:06 dregad Reporter dregad => htbridge
2014-12-05 18:34 dregadmin Target Version 1.2.18 => 1.2.19
2014-12-27 12:25 dregad Assigned To => dregad
2014-12-27 12:25 dregad Status new => assigned
2014-12-28 07:05 dregad Relationship added related to 0017939
2014-12-28 07:05 dregad Relationship added related to 0017938
2014-12-28 07:06 dregad File Added: 0001-Fix-SQL-injection-in-manage_user_page.php.patch
2014-12-28 07:07 dregad Note Added: 0042064
2015-01-09 08:10 dregad Summary SQL Injection in manage_user_page.php => CVE-2014-9573: SQL Injection in manage_user_page.php
2015-01-09 08:24 dregad Changeset attached => MantisBT master-1.2.x 69c2d28d
2015-01-09 08:24 dregad Status assigned => resolved
2015-01-09 08:24 dregad Resolution open => fixed
2015-01-09 08:24 dregad Fixed in Version => 1.2.19
2015-01-09 08:24 dregad Changeset attached => MantisBT master 7cc4539f
2015-01-16 18:46 dregad View Status private => public
2015-01-25 18:17 dregadmin Status resolved => closed
2015-01-27 04:50 dregad Issue cloned: 0019277
2015-01-27 04:50 dregad Relationship added has duplicate 0019277