View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017940 | mantisbt | security | public | 2014-12-03 15:05 | 2015-01-27 04:50 |
Reporter | htbridge | Assigned To | dregad | ||
Priority | normal | Severity | major | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.17 | ||||
Target Version | 1.2.19 | Fixed in Version | 1.2.19 | ||
Summary | 0017940: CVE-2014-9573: SQL Injection in manage_user_page.php | ||||
Description | The vulnerability can be used to manipulate existing SQL queries. An attacker can obtain potentially sensitive data and use it to elevate privileges within the application. It is also possible for certain configurations to upload a backdoor and gain complete access to the webserver or website. 3.1 The vulnerability exists due to insufficient filtration of the "MANTIS_MANAGE_USERS_COOKIE" HTTP COOKIE in "/manage_user_page.php" script. A remote user with administrative privileges can inject and execute arbitrary SQL code within the application’s database. The exploit code below modifies the SQL query and injects malicious "INTO OUTFILE" statement. As a result,current MySQL user login will be written into the "/var/www/file.txt" file: GET /manage_user_page.php?hideinactive=0 HTTP/1.1 Successful exploitation requires that the MySQL account has FILE privileges within the database. To exploit this vulnerability an attacker must create a specially crafted cookie for the application administrator. This can be achieved using XSS vulnerabilities, described in paragraphs 1.1 – 1.3 of this advisory. | ||||
Additional Information | Advisory ID: HTB23243 Original report in 0017937 | ||||
Tags | No tags attached. | ||||
Attached Files | 0001-Fix-SQL-injection-in-manage_user_page.php.patch (3,523 bytes)
From 5eda2d414e13b7685bd1bb81791872d72c2a0f26 Mon Sep 17 00:00:00 2001 From: Damien Regad <dregad@mantisbt.org> Date: Sat, 27 Dec 2014 18:34:25 +0100 Subject: [PATCH 1/3] Fix SQL injection in manage_user_page.php This vulnerability was reported by High-Tech Bridge Security Research Lab (https://www.htbridge.com/) in issue #17937 (advisory ID HTB23243). To avoid injection, the parameters we get from the cookie are now properly sanitized before being used in the SQL query. Fixes #17940 --- manage_user_page.php | 67 +++++++++++++++++++++++++++------------------------- 1 file changed, 35 insertions(+), 32 deletions(-) diff --git a/manage_user_page.php b/manage_user_page.php index 0f964b5..c7c054a 100644 --- a/manage_user_page.php +++ b/manage_user_page.php @@ -31,19 +31,46 @@ access_ensure_global_level( config_get( 'manage_user_threshold' ) ); - $f_sort = gpc_get_string( 'sort', 'username' ); - $f_dir = gpc_get_string( 'dir', 'ASC' ); - $f_hide_inactive = gpc_get_bool( 'hideinactive' ); - $f_show_disabled = gpc_get_bool( 'showdisabled' ); - $f_save = gpc_get_bool( 'save' ); - $f_filter = utf8_strtoupper( gpc_get_string( 'filter', config_get( 'default_manage_user_prefix' ) ) ); - $f_page_number = gpc_get_int( 'page_number', 1 ); - $t_user_table = db_get_table( 'mantis_user_table' ); $t_cookie_name = config_get( 'manage_users_cookie' ); $t_lock_image = '<img src="' . config_get( 'icon_path' ) . 'protected.gif" width="8" height="15" border="0" alt="' . lang_get( 'protected' ) . '" />'; $c_filter = ''; + $f_save = gpc_get_bool( 'save' ); + $f_filter = utf8_strtoupper( gpc_get_string( 'filter', config_get( 'default_manage_user_prefix' ) ) ); + $f_page_number = gpc_get_int( 'page_number', 1 ); + + if( !$f_save && !is_blank( gpc_get_cookie( $t_cookie_name, '' ) ) ) { + $t_manage_arr = explode( ':', gpc_get_cookie( $t_cookie_name ) ); + + # Hide Inactive + $f_hide_inactive = (bool)$t_manage_arr[0]; + + # Sort field + if ( isset( $t_manage_arr[1] ) ) { + $f_sort = $t_manage_arr[1]; + } else { + $f_sort = 'username'; + } + + # Sort order + if ( isset( $t_manage_arr[2] ) ) { + $f_dir = $t_manage_arr[2]; + } else { + $f_dir = 'DESC'; + } + + # Show Disabled + if ( isset( $t_manage_arr[3] ) ) { + $f_show_disabled = $t_manage_arr[3]; + } + } else { + $f_sort = gpc_get_string( 'sort', 'username' ); + $f_dir = gpc_get_string( 'dir', 'ASC' ); + $f_hide_inactive = gpc_get_bool( 'hideinactive' ); + $f_show_disabled = gpc_get_bool( 'showdisabled' ); + } + # Clean up the form variables if ( !db_field_exists( $f_sort, $t_user_table ) ) { $c_sort = 'username'; @@ -65,30 +92,6 @@ if ( $f_save ) { $t_manage_string = $c_hide_inactive.':'.$c_sort.':'.$c_dir.':'.$c_show_disabled; gpc_set_cookie( $t_cookie_name, $t_manage_string, true ); - } else if ( !is_blank( gpc_get_cookie( $t_cookie_name, '' ) ) ) { - $t_manage_arr = explode( ':', gpc_get_cookie( $t_cookie_name ) ); - - # Hide Inactive - $c_hide_inactive = $t_manage_arr[0]; - - # Sort field - if ( isset( $t_manage_arr[1] ) ) { - $c_sort = $t_manage_arr[1]; - } else { - $c_sort = 'username'; - } - - # Sort order - if ( isset( $t_manage_arr[2] ) ) { - $c_dir = $t_manage_arr[2]; - } else { - $c_dir = 'DESC'; - } - - # Show Disabled - if ( isset( $t_manage_arr[3] ) ) { - $c_show_disabled = $t_manage_arr[3]; - } } html_page_top( lang_get( 'manage_users_link' ) ); -- 1.9.1 | ||||
has duplicate | 0019277 | closed | dregad | CVE-2014-9573: SQL Injection in manage_user_page.php |
related to | 0017939 | closed | dregad | CVE-2014-9572: Improper Access Control in install.php |
related to | 0017938 | closed | dregad | CVE-2014-9571: XSS in install.php |
child of | 0017937 | closed | dregad | MantisBT Security Vulnerability Notification (HTB23243) |
MantisBT: master-1.2.x 69c2d28d 2014-12-27 07:34 Details Diff |
Fix SQL injection in manage_user_page.php This vulnerability (CVE-2014-9573) was reported by High-Tech Bridge Security Research Lab (https://www.htbridge.com/) in issue 0017937 (advisory ID HTB23243). To avoid injection, the parameters we get from the cookie are now properly sanitized before being used in the SQL query. Fixes 0017940 |
Affected Issues 0017937, 0017940 |
|
mod - manage_user_page.php | Diff File | ||
MantisBT: master 7cc4539f 2014-12-27 07:34 Details Diff |
Fix SQL injection in manage_user_page.php This vulnerability (CVE-2014-9573) was reported by High-Tech Bridge Security Research Lab (https://www.htbridge.com/) in issue 0017937 (advisory ID HTB23243). To avoid injection, the parameters we get from the cookie are now properly sanitized before being used in the SQL query. Fixes 0017940 |
Affected Issues 0017937, 0017940, 0019277 |
|
mod - manage_user_page.php | Diff File |