View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0008976mantisbtsecuritypublic2008-03-14 20:242008-06-17 02:48
Reporterthraxisp Assigned Togiallu  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.1.1 
Target Version1.1.2Fixed in Version1.1.2 
Summary0008976: Remote Code Execution in adm_config
Description

Mantis Bug Tracker 1.1.1 Multiple Vulnerabilities

Name Multiple Vulnerabilities in Mantis
Systems Affected Mantis 1.1.1 and possibly earlier versions
Severity
Impact (CVSSv2) (, vector: )
Vendor http://www.mantisbt.org/
Advisory
Authors Antonio "s4tan" Parata (s4tan AT ush DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Date

C) Remote Code Execution Vulnerabilities

Finally we present the most critical vulnerability. A Remote Code Execution vulnerability exists in the software, but it can be exploited only if the attacker has a valid adminitrator account, so it could be ideal if used in conjunction with the previous one. The vulnerability is in the file adm_config_set.php. On row 80 we have the following statement:

eval( '$t_value = ' . $f_value . ';' );

where the $f_value is defined at row 34 of the same file:

$f_value = gpc_get_string( 'value' );

the parameter $f_value is never validated, so we can exploit this issue with the following url wich executes the phpinfo() function:

http://www.example.com/mantis/adm_config_set.php?user_id=0&project_id=0&config_option=cache_config&type=0&value=0;phpinfo()

TagsNo tags attached.
Attached Files
bug8976.patch (1,792 bytes)    
Index: adm_config_set.php
===================================================================
--- adm_config_set.php	(revision 5297)
+++ adm_config_set.php	(working copy)
@@ -76,10 +76,47 @@
 	} else if ( $t_type === 'integer' ) {
 		$t_value = (integer)$f_value;
 	} else {
-		eval( '$t_value = ' . $f_value . ';' );
+		# We support these kind of variables here:
+		# 1. constant values (like the ON/OFF switches): they are defined as constants mapping to numeric values
+		# 2. simple arrays with the form: array( a, b, c, d )
+		# 3. associative arrays with the form: array( a=>1, b=>2, c=>3, d=>4 )
+		$t_full_string = trim( $f_value );
+		if ( preg_match('/array\((.*)\)/', $t_full_string, $t_match ) === 1 ) {
+			// we have an array here
+			$t_values = split( ',', trim( $t_match[1] ) );
+			foreach ( $t_values as $key => $value ) {
+				$t_split = split ('=>',  $value );
+				if ( count( $t_split ) == 2 ) {
+					// associative array
+					$t_new_key = constant_replace( trim( $t_split[0] ) );
+					$t_new_value = constant_replace( trim( $t_split[1] ) );
+					$t_value[ $t_new_key ] = $t_new_value;
+				}
+				else {
+					// regular array
+					$t_value[ $key ] = constant_replace( trim( $value ) );
+				}
+			}
+		}
+		else {
+			// scalar value
+			$t_value = constant_replace( trim( $t_full_string ) );
+		}
 	}
 
 	config_set( $f_config_option, $t_value, $f_user_id, $f_project_id );
 
 	print_successful_redirect( 'adm_config_report.php' );
-?>
\ No newline at end of file
+
+
+	/** 
+	 * Check if the passed string is a constant and return its value
+	 */
+	function constant_replace( $p_name ) {
+		$t_result = $p_name;
+		if ( is_string( $p_name ) && defined( $p_name ) ) {
+			// we have a constant
+			$t_result = constant( $p_name );
+		}
+		return $t_result;
+	}
bug8976.patch (1,792 bytes)   

Relationships

parent of 0008980 closedgiallu Port: Remote Code Execution in adm_config 
related to 0009426 closedgiallu Creating the view_issues_page_columns creates a string 

Activities

thraxisp

thraxisp

2008-03-16 20:36

reporter   ~0017382

patch added to SVN (r5121) to hide the change configuration form if the user is below the set_configuration threshold. This should make the issue less accessible until a complete set of configuration controls can be built.
giallu

giallu

2008-05-28 19:32

reporter   ~0017932

I think the best fix is to start removing the eval() line, then add back at least a basic subset of what was possible with the eval.

The attached patch was written with this spirit, and adds back support for simple values (including constants interpolation) and arrays (simple and associative)

I'd appreciate a review before committing though.
vboctor

vboctor

2008-05-29 01:19

manager   ~0017935

This seems to be the last security issue that is blocking 1.1.2 release. Once this is done, we can cut the release. There are about 4 other issues that are not critical and can be re-targeted to future 1.1.x release.
giallu

giallu

2008-05-29 05:36

reporter   ~0017941

Fixed in SVN revision 5298

http://mantisbt.svn.sourceforge.net/viewvc/mantisbt?view=rev&revision=5298
giallu

giallu

2008-05-29 05:48

reporter   ~0017942

Removing private status since this is public now, as part of CVE-2008-2276.

Rad Hat reference:
https://bugzilla.redhat.com/show_bug.cgi?id=448410

Related Changesets

MantisBT: master-1.1.x 1f34bc8c

2008-05-29 05:17

giallu


Details Diff		 Fix 8976: Remote Code Execution in adm_config

git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5298 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9		 Affected Issues
0008976
mod - adm_config_set.php Diff File