View Issue Details

IDProjectCategoryView StatusLast Update
0017993mantisbtauthenticationpublic2015-01-25 18:17
Reporterchief1983Assigned Todregad 
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
PlatformMultipleOSLinuxOS VersionMultiple
Product Version1.2.18 
Target Version1.2.19Fixed in Version1.2.19 
Summary0017993: User creation with captcha broken by fix for issue 0017811
Description

APPLICATION ERROR 2701

Session variable "captcha_key" not found.

Steps To Reproduce
  1. Attempt to create a new user. Have captchas enabled in the mantis config.
  2. After submitting the form with the captcha, the above error occurs.
Additional Information

As stated in the description, it seems related to the change in 0017811. CentOS also seems to have run across this issue (https://bugs.centos.org/view.php?id=7980), however I am confirming that this also happens on http://scp.indiegames.us/mantis. Rather than go with CentOS' option and just disable captcha usage, it would be nice to see a fix for this in the next 1.2.x maintenance release. I don't plan on adopting 1.3.x immediately after release and would rather not downgrade back to 1.2.17 and place more security holes on the system instead of less, such as CVE-2014-9117, or eliminating captcha altogether.

TagsNo tags attached.

Relationships

related to 0017811 closedvboctor CVE-2014-9117: CAPTCHA bypass 
related to 0017984 closeddregad CVE-2014-9624: CAPTCHA bypass is way easier than it should be 
has duplicate 0018057 closeddregad Problem with new users signup 
has duplicate 0020123 closedatrol Captcha fails when Anonymous is enabled 

Activities

dregad

dregad

2015-01-03 16:21

developer   ~0042088

Last edited: 2015-01-03 16:26

View 2 revisions

I noticed this behavior as well, and confirm the regression was introduced by 0017811 (commit 7bb78e45)

dregad

dregad

2015-01-03 16:49

developer   ~0042089

Pull request for review https://github.com/mantisbt/mantisbt/pull/566

dregad

dregad

2015-01-16 19:35

developer  

fix-17993-with-session-reopen.patch (1,893 bytes)
commit 5b880f31f19d7eb8378a5c089f40758f66c8b12f
Author: Damien Regad <dregad@mantisbt.org>
Date:   2015-01-02 01:32:41 +0100

    Fix captcha validation
    
    Following 7bb78e4581ff1092c811ea96582fe602624cdcdd, it was no longer
    possible to validate the captcha, because the PHP session is destroyed
    as part of the logout performed in signup.php.
    
    We now retrieve the captcha key from the session before logging out, and
    recreate the session variable after that.
    
    Fixes #17993

diff --git a/core/session_api.php b/core/session_api.php
index ff1230a..9f2ab4d 100644
--- a/core/session_api.php
+++ b/core/session_api.php
@@ -171,6 +171,7 @@ class MantisPHPSession extends MantisSession {
 		}
 
 		unset( $_SESSION[ $this->key ] );
+		session_write_close();
 	}
 }
 
diff --git a/signup.php b/signup.php
index 37f3f27..b63e772 100644
--- a/signup.php
+++ b/signup.php
@@ -37,9 +37,16 @@
 	$f_email = email_append_domain( trim( $f_email ) );
 	$f_captcha = utf8_strtolower( trim( $f_captcha ) );
 
+	# Retrieve captcha key now, as session might get cleared by logout
+	$t_form_key = session_get_int( CAPTCHA_KEY, null );
+
 	# force logout on the current user if already authenticated
 	if( auth_is_user_authenticated() ) {
 		auth_logout();
+		# Restart session and save captcha key again to ensure consistent
+		# behavior when the page is reloaded
+		session_init();
+		session_set( CAPTCHA_KEY, $t_form_key );
 	}
 
 	# Check to see if signup is allowed
@@ -50,8 +57,6 @@
 
 	if( ON == config_get( 'signup_use_captcha' ) && get_gd_version() > 0 	&&
 				helper_call_custom_function( 'auth_can_change_password', array() ) ) {
-		$t_form_key = session_get( CAPTCHA_KEY );
-
 		# captcha image requires GD library and related option to ON
 		$t_key = utf8_strtolower( utf8_substr( md5( config_get( 'password_confirm_hash_magic_string' ) . $t_form_key ), 1, 5) );
 
dregad

dregad

2015-01-16 19:36

developer   ~0042177

Attaching the original patch with session close & reopen to keep a record of it, following discussion in PR 566 not to do it.

dregad

dregad

2015-01-23 10:55

developer   ~0042257

If you have upgraded to 1.2.18 and are affected by this issue, you probably don't want to wait for 1.2.19 and most likely don't want to downgrade back to 1.2.17 or whatever version you originally came from either.

Feel free to apply the patch in commit 1eab7aca (see below):
http://github.com/mantisbt/mantisbt/commit/1eab7aca.diff

Related Changesets

MantisBT: master-1.2.x 7bb78e45

2014-11-24 23:28:34

vboctor


Committer: dregad Details Diff
Use session rather than form key for captcha

Fixes 0017811

Signed-off-by: Damien Regad <dregad@mantisbt.org>
mod - core/constant_inc.php Diff File
mod - make_captcha_img.php Diff File
mod - signup.php Diff File
mod - signup_page.php Diff File

MantisBT: master-1.2.x 1eab7aca

2015-01-01 19:32:41

dregad

Details Diff
Fix captcha validation

Following 7bb78e4581ff1092c811ea96582fe602624cdcdd, it was no longer
possible to validate the captcha, because the PHP session is destroyed
as part of the logout performed in signup.php.

We now retrieve the captcha key from the session before logging out.

Fixes 0017993
mod - core/session_api.php Diff File
mod - signup.php Diff File

Issue History

Date Modified Username Field Change
2015-01-03 14:41 chief1983 New Issue
2015-01-03 16:21 dregad Assigned To => dregad
2015-01-03 16:21 dregad Status new => assigned
2015-01-03 16:21 dregad Note Added: 0042088
2015-01-03 16:24 dregad Relationship added related to 0017811
2015-01-03 16:26 dregad Changeset attached => MantisBT master-1.2.x 7bb78e45
2015-01-03 16:26 dregad Note Edited: 0042088 View Revisions
2015-01-03 16:49 dregad Note Added: 0042089
2015-01-03 17:03 dregad Summary 0017811 breaks new user creation with captchas => User creation with captcha broken by fix for issue 0017811
2015-01-03 17:03 dregad Description Updated View Revisions
2015-01-03 17:03 dregad Target Version => 1.2.19
2015-01-03 17:28 dregad Relationship added related to 0017984
2015-01-16 19:35 dregad File Added: fix-17993-with-session-reopen.patch
2015-01-16 19:36 dregad Note Added: 0042177
2015-01-16 19:38 dregad Changeset attached => MantisBT master-1.2.x 1eab7aca
2015-01-16 19:38 dregad Status assigned => resolved
2015-01-16 19:38 dregad Resolution open => fixed
2015-01-16 19:38 dregad Fixed in Version => 1.2.19
2015-01-23 10:45 dregad Relationship added has duplicate 0018057
2015-01-23 10:55 dregad Note Added: 0042257
2015-01-25 18:17 dregadmin Status resolved => closed
2015-09-17 17:49 atrol Relationship added has duplicate 0020123