0013282: bug_actiongroup_ext_page.php does not properly sanitise action parameter before including local files - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0013282	mantisbt	security	public	2011-09-01 05:41	2015-09-11 11:29

Reporter	dhx	Assigned To	dhx
Priority	immediate	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.2.7
Target Version	1.2.8	Fixed in Version	1.2.8

Summary	0013282: bug_actiongroup_ext_page.php does not properly sanitise action parameter before including local files
Description	As reported by High-Tech Bridge SA, vulnerability #HTB23045. Refer to parent issue 0013281 for the full report. 1) Input passed via the "action" GET parameter to bug_actiongroup_ext_page.php & bug_actiongroup_page.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website. The following PoC code is available: http://[host]/bug_actiongroup_ext_page.php?bug_arr[]=1&action=EXT_%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E [^] http://[host]/bug_actiongroup_page.php?bug_arr[]=[ISSUE_ID]&action=EXT_%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E [^]
Tags	No tags attached.

MantisBT: master-1.2.x a7eacc18 2011-08-31 22:36 dhx Details Diff	Fix 0013282, 0013283: bug_actiongroup_ext_page.php LFI and XSS High-Tech Bridge SA Security Research Lab reported 2 issues with the 'action' parameter to bug_actiongroup_ext_page.php Issue 0013282 XSS issue with require_once() call failures returning an unescaped user-supplied filename. There has been a fair amount of recent public talk about PHP error messages being a source of XSS issues. This is an example. Issue 0012283 Local file inclusion/path traversal vulnerability on web servers that allow translations like: http://example.com/directory/file.htm/../file2.htm ==> http://example.com/directory/file2.htm Vulnerable (default configuration): Apache Not vulnerable (default configuration): nginx This issue has _SEVERE_ consequences for people using web servers which don't check each segment of a path from top to bottom for validity. It shouldn't be possible to include the contents of config_inc.php to retrieve MantisBT database passwords because require_once('config_inc.php') will parse the document as a PHP script (echoing nothing). However it may allow attackers to view private files accessible to the web server user account. It also allows an attacker to guess the file structure of a server (existence of installed software, user accounts, etc). nginx will produce a 404 error when it determines that file.htm is not a directory. This makes too much sense, doesn't it?		Affected Issues 0013282, 0013283
	mod - bug_actiongroup_ext_page.php		Diff File
	mod - core/bug_group_action_api.php		Diff File
MantisBT: master c12a32af 2011-08-31 22:36 dhx Details Diff	Fix 0013282, 0013283: bug_actiongroup_ext_page.php LFI and XSS High-Tech Bridge SA Security Research Lab reported 2 issues with the 'action' parameter to bug_actiongroup_ext_page.php Issue 0013282 XSS issue with require_once() call failures returning an unescaped user-supplied filename. There has been a fair amount of recent public talk about PHP error messages being a source of XSS issues. This is an example. Issue 0012283 Local file inclusion/path traversal vulnerability on web servers that allow translations like: http://example.com/directory/file.htm/../file2.htm ==> http://example.com/directory/file2.htm Vulnerable (default configuration): Apache Not vulnerable (default configuration): nginx This issue has _SEVERE_ consequences for people using web servers which don't check each segment of a path from top to bottom for validity. It shouldn't be possible to include the contents of config_inc.php to retrieve MantisBT database passwords because require_once('config_inc.php') will parse the document as a PHP script (echoing nothing). However it may allow attackers to view private files accessible to the web server user account. It also allows an attacker to guess the file structure of a server (existence of installed software, user accounts, etc). nginx will produce a 404 error when it determines that file.htm is not a directory. This makes too much sense, doesn't it? Conflicts: bug_actiongroup_ext_page.php core/bug_group_action_api.php		Affected Issues 0013282, 0013283
	mod - bug_actiongroup_ext_page.php		Diff File
	mod - core/bug_group_action_api.php		Diff File
MantisBT: master-1.2.x 965b00a0 2011-09-03 15:34 dhx Details Diff	Revert "Fix 0013282, 0013283: bug_actiongroup_ext_page.php LFI and XSS" This reverts commit a7eacc181185eff1dd7bd8ceaa34a91cf86cc298. Paul fixed this in a better way with commit a908cc61362059025910e2437d55bedc31863139 (to be backported to 1.2.x after this older commit is reverted).		Affected Issues 0013282, 0013283
	mod - bug_actiongroup_ext_page.php		Diff File
	mod - core/bug_group_action_api.php		Diff File