View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0008976 | mantisbt | security | public | 2008-03-14 20:24 | 2008-06-17 02:48 |
Reporter | thraxisp | Assigned To | giallu | ||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | 1.1.1 | ||||
Target Version | 1.1.2 | Fixed in Version | 1.1.2 | ||
Summary | 0008976: Remote Code Execution in adm_config | ||||
Description | Mantis Bug Tracker 1.1.1 Multiple Vulnerabilities Name Multiple Vulnerabilities in Mantis C) Remote Code Execution Vulnerabilities Finally we present the most critical vulnerability. A Remote Code Execution vulnerability exists in the software, but it can be exploited only if the attacker has a valid adminitrator account, so it could be ideal if used in conjunction with the previous one. The vulnerability is in the file adm_config_set.php. On row 80 we have the following statement: eval( '$t_value = ' . $f_value . ';' ); where the $f_value is defined at row 34 of the same file: $f_value = gpc_get_string( 'value' ); the parameter $f_value is never validated, so we can exploit this issue with the following url wich executes the phpinfo() function: | ||||
Tags | No tags attached. | ||||
Attached Files | bug8976.patch (1,792 bytes)
Index: adm_config_set.php =================================================================== --- adm_config_set.php (revision 5297) +++ adm_config_set.php (working copy) @@ -76,10 +76,47 @@ } else if ( $t_type === 'integer' ) { $t_value = (integer)$f_value; } else { - eval( '$t_value = ' . $f_value . ';' ); + # We support these kind of variables here: + # 1. constant values (like the ON/OFF switches): they are defined as constants mapping to numeric values + # 2. simple arrays with the form: array( a, b, c, d ) + # 3. associative arrays with the form: array( a=>1, b=>2, c=>3, d=>4 ) + $t_full_string = trim( $f_value ); + if ( preg_match('/array\((.*)\)/', $t_full_string, $t_match ) === 1 ) { + // we have an array here + $t_values = split( ',', trim( $t_match[1] ) ); + foreach ( $t_values as $key => $value ) { + $t_split = split ('=>', $value ); + if ( count( $t_split ) == 2 ) { + // associative array + $t_new_key = constant_replace( trim( $t_split[0] ) ); + $t_new_value = constant_replace( trim( $t_split[1] ) ); + $t_value[ $t_new_key ] = $t_new_value; + } + else { + // regular array + $t_value[ $key ] = constant_replace( trim( $value ) ); + } + } + } + else { + // scalar value + $t_value = constant_replace( trim( $t_full_string ) ); + } } config_set( $f_config_option, $t_value, $f_user_id, $f_project_id ); print_successful_redirect( 'adm_config_report.php' ); -?> \ No newline at end of file + + + /** + * Check if the passed string is a constant and return its value + */ + function constant_replace( $p_name ) { + $t_result = $p_name; + if ( is_string( $p_name ) && defined( $p_name ) ) { + // we have a constant + $t_result = constant( $p_name ); + } + return $t_result; + } | ||||
patch added to SVN (r5121) to hide the change configuration form if the user is below the set_configuration threshold. This should make the issue less accessible until a complete set of configuration controls can be built. |
|
I think the best fix is to start removing the eval() line, then add back at least a basic subset of what was possible with the eval. The attached patch was written with this spirit, and adds back support for simple values (including constants interpolation) and arrays (simple and associative) I'd appreciate a review before committing though. |
|
This seems to be the last security issue that is blocking 1.1.2 release. Once this is done, we can cut the release. There are about 4 other issues that are not critical and can be re-targeted to future 1.1.x release. |
|
Fixed in SVN revision 5298 http://mantisbt.svn.sourceforge.net/viewvc/mantisbt?view=rev&revision=5298 |
|
Removing private status since this is public now, as part of CVE-2008-2276. Rad Hat reference: |
|
MantisBT: master-1.1.x 1f34bc8c 2008-05-29 05:17 Details Diff |
Fix 8976: Remote Code Execution in adm_config git-svn-id: http://mantisbt.svn.sourceforge.net/svnroot/mantisbt/branches/BRANCH_1_1_0@5298 <a class="text" href="/?p=mantisbt.git;a=object;h=f5dc347c">f5dc347c</a>-c33d-0410-90a0-b07cc1902cb9 |
Affected Issues 0008976 |
|
mod - adm_config_set.php | Diff File |