0013245: Cross site scripting and remote SQL injection vulnerabilities - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0013245	mantisbt	security	public	2011-08-18 08:33	2014-09-23 18:05

Reporter	atrol	Assigned To	dhx
Priority	immediate	Severity	block	Reproducibility	have not tried
Status	closed	Resolution	fixed
Product Version	1.2.6
Target Version	1.2.7	Fixed in Version	1.2.7

Summary	0013245: Cross site scripting and remote SQL injection vulnerabilities
Description	[ Vulnerable File ] `http://127.0.0.1/path/search.php?project_id=[XSS] http://127.0.0.1/path/core.php?mbadmin=[SQL]` [ XpL ] `http://127.0.0.1/path/search.php?project_id="><script>alert(0)</script> http://127.0.0.1/path/core.php?mbadmin=2+Order+By+10--` See http://packetstormsecurity.org/files/104149
Tags	No tags attached.

dhx 2011-08-18 11:02 reporter ~0029512	All fixed!

dhx 2011-08-18 12:33 reporter ~0029513	Bug reports cross-posted elsewhere: Gentoo: https://bugs.gentoo.org/show_bug.cgi?id=379739 Fedora/Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=731777 Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=638321 Ubuntu: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/828857 A notice/CVE request has also been sent to the oss-security mailing list.

grangeway 2013-04-05 17:57 reporter ~0036422	Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

MantisBT: master 7c8a564c 2011-08-18 03:43 dhx Details Diff	Fix 0013245: XSS issues with search.php parameters Net.Edit0r (Net.Edit0r@Att.net) from BlACK Hat Group [http://black-hg.org] posted a vulnerability report for an XSS issue in search.php for MantisBT 1.2.6. The full report is available at http://packetstormsecurity.org/files/104149 filter_api.php is the culprit for this vulnerability as it passes user supplied search parameters back into output without first escaping the values. It should be noted that numerous other XSS vulnerabilities (all related) have been fixed with this patch. In other words, it is not just the project_id parameter to search.php that was affected - it was numerous other parameters/fields as well. The second SQL injection vulnerability identified by Net.Edit0r is invalid because the only time we ever make reference to "mbadmin" in the source code is: core.php: if ( file_exists( 'mantis_offline.php' ) && !isset( $_GET['mbadmin'] ) ) This usage is safe because nothing is ever done with $_GET['mbadmin']. It may be the case that the user's customised version of mantis_offline.php was incorrectly dumping the value of $_GET['mbadmin'] to the screen. The default/sample mantis_offline.php has been checked and does not print any dynamically created strings/user supplied values. Conflicts: core/filter_api.php		Affected Issues 0013245
	mod - core/filter_api.php		Diff File
MantisBT: master-1.2.x 317f3db3 2011-08-18 03:43 dhx Details Diff	Fix 0013245: XSS issues with search.php parameters Net.Edit0r (Net.Edit0r@Att.net) from BlACK Hat Group [http://black-hg.org] posted a vulnerability report for an XSS issue in search.php for MantisBT 1.2.6. The full report is available at http://packetstormsecurity.org/files/104149 filter_api.php is the culprit for this vulnerability as it passes user supplied search parameters back into output without first escaping the values. It should be noted that numerous other XSS vulnerabilities (all related) have been fixed with this patch. In other words, it is not just the project_id parameter to search.php that was affected - it was numerous other parameters/fields as well. The second SQL injection vulnerability identified by Net.Edit0r is invalid because the only time we ever make reference to "mbadmin" in the source code is: core.php: if ( file_exists( 'mantis_offline.php' ) && !isset( $_GET['mbadmin'] ) ) This usage is safe because nothing is ever done with $_GET['mbadmin']. It may be the case that the user's customised version of mantis_offline.php was incorrectly dumping the value of $_GET['mbadmin'] to the screen. The default/sample mantis_offline.php has been checked and does not print any dynamically created strings/user supplied values.		Affected Issues 0013245
	mod - core/filter_api.php		Diff File