View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0022702 | mantisbt | security | public | 2017-04-10 09:54 | 2017-05-20 16:10 |
Reporter | hyp3rlinx | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Target Version | 1.3.11 | Fixed in Version | 1.3.11 | ||
Summary | 0022702: CVE-2017-7620: CSRF - Arbitrary Permalink Injection | ||||
Description | CSRF to Link Injection vulnerability. e.g. http://127.0.0.1/mantisbt-2.3.0/permalink_page.php?url=\/ATTACKER-IP Post the following HTML on remote web server and visit while logged into mantisbt.
OR
| ||||
Additional Information | Initially reported by John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org via e-mail | ||||
Tags | No tags attached. | ||||
Attached Files | 0001-Add-form-security-token-to-permalink_page.php.patch (2,026 bytes)
From 46e58463da2bb6726fc9c81abdffa2ed02b03865 Mon Sep 17 00:00:00 2001 From: Damien Regad <dregad@mantisbt.org> Date: Sun, 7 May 2017 11:34:04 +0200 Subject: [PATCH] Add form security token to permalink_page.php Prevent CSRF / link injection (CVE-2017-7620) Fixes #22702 --- core/filter_api.php | 5 ++++- permalink_page.php | 4 ++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/core/filter_api.php b/core/filter_api.php index ac6a630..bee19cd 100644 --- a/core/filter_api.php +++ b/core/filter_api.php @@ -2451,8 +2451,11 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e filter_print_view_type_toggle( $t_url, $t_filter['_view_type'] ); if( access_has_project_level( config_get( 'create_permalink_threshold' ) ) ) { + # Add CSRF protection, see #22702 + $t_permalink_url = urlencode( filter_get_url( $t_filter ) ) + . form_security_param( 'permalink' ); echo '<li>'; - echo '<a href="permalink_page.php?url=' . urlencode( filter_get_url( $t_filter ) ) . '">'; + echo '<a href="permalink_page.php?url=' . $t_permalink_url . '">'; echo '<i class="ace-icon fa fa-link"></i>  ' . lang_get( 'create_filter_link' ); echo '</a>'; echo '</li>'; diff --git a/permalink_page.php b/permalink_page.php index 87a9058..b73ccab 100644 --- a/permalink_page.php +++ b/permalink_page.php @@ -36,6 +36,7 @@ require_once( 'core.php' ); require_api( 'access_api.php' ); require_api( 'config_api.php' ); +require_api( 'form_api.php' ); require_api( 'gpc_api.php' ); require_api( 'html_api.php' ); require_api( 'lang_api.php' ); @@ -43,6 +44,8 @@ require_api( 'print_api.php' ); require_api( 'string_api.php' ); require_api( 'utility_api.php' ); +form_security_validate( 'permalink' ); + layout_page_header(); layout_page_begin(); @@ -75,4 +78,5 @@ if( !is_blank( $t_create_short_url ) ) { ?> </div> <?php +form_security_purge( 'permalink' ); layout_page_end(); -- 2.7.4 | ||||
@hyp3rlinx I presume that you already requested a CVE ID ? Please post it here when it has been assigned. |
|
CVE-2017-7620 |
|
@hyp3rlinx I don't see any link injection... The
Am I missing something ? If so, maybe you can explain what I'm doing wrong. |
|
Add this to a webpage on another server, login to mantis then visit the webpage. It works in 1.3.0 too. Attached is screenshot showing arbitrary link injection <form action="http://MANTIS-VICTIM-IP/mantisbt-2.3.0/mantisbt-2.3.0/permalink_page.php?url=\/SOME_OTHER_DOMAIN" method="POST"> |
|
Look at bottom left of browser in screenshot to see URL status after hovering over link. http://attacker-ip. |
|
URL needs a backslash %5C or '\' to break your sanitation routine. e.g. url=\/EVIL.com |
|
Ah, I missed the backslash :-o |
|
Sorry for the delay, I've been busy. I can confirm problem reproduction by escaping the |
|
The identified vulnerability exists as far back as 1.2.0, and most likely long before that too; targeting at 1.3.10. Proposed approach to fix the issue is to encode the Please review attached patch. 0001-Encode-in-string_sanitize_url.patch (1,155 bytes)
From 35e78af20ba4bd5078934188635175d356f1e996 Mon Sep 17 00:00:00 2001 From: Damien Regad <dregad@mantisbt.org> Date: Fri, 14 Apr 2017 00:47:13 +0200 Subject: [PATCH] Encode '\' in string_sanitize_url() John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org reported a CSRF vulnerability in permalink_page.php, allowing an attacker to inject arbitrary links (CVE-2017-7620). Encoding the backslashes in the 'script' part of the URL ensures that the sanitized URL is treated as relative to MantisBT root and not a link to an external site. Fixes #22702 --- core/string_api.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/core/string_api.php b/core/string_api.php index 4e3c238..1c5e84b 100644 --- a/core/string_api.php +++ b/core/string_api.php @@ -275,7 +275,8 @@ function string_sanitize_url( $p_url, $p_return_absolute = false ) { } # Start extracting regex matches - $t_script = $t_matches['script']; + # Encode backslashes to prevent CSRF attacks + $t_script = strtr( $t_matches['script'], array( '\\' => '%5C' ) ); $t_script_path = $t_matches['path']; # Clean/encode query params -- 2.7.4 |
|
@hyp3rlinx are you OK with the proposed patch ? |
|
basic tests seems to prevent valid URL being injected, but I do not see any CSRF token check your patch says "+ # Encode backslashes to prevent CSRF attacks" the CSRF still happens just the injection is now preceded with %5C. |
|
sent email last week for status update on this CSRF vulnerability but never heard back so I am follow up here. |
|
Apologies for the lack of reply and delayed in resolving this issue, but due to work- and family-related priorities I had to put this aside. I will get back to it as soon as I can. |
|
Ok thanks for the update will check back with you soon. |
|
Checking back to see if fix is complete if not what is ETA, ... also just FYI Mantis passwords are stored using weak crypto MD5 and unsalted. |
|
Funny you should ping me on that issue, as I actually resumed work on it yesterday.
Known issue, see 0022839. In fact, I've been working on that over the past few days, expanding on the work of a community contributor feel free to have a look at the pull request and let us know your feedback if you can spare the time. |
|
Escaping the backslash ensures that any external URL is redirected locally.
Adding it is trivial (see attached patch), but is it truly necessary ? |
|
@hyp3rlinx any feedback before I merge and make this public ? |
|
nope, when do you plan on making this public? |
|
I can do it anytime, really - patches are ready. If you need some advance notice, let me know what your constraints are. If you don't have any, I'll do it sometime tomorrow. I was kind of hoping for an answer on the questions I raised in 0022702:0056790 before moving forward, though. |
|
Just following up on this... |
|
MantisBT: master f21b56fa 2017-05-13 14:45 Details Diff |
Add form security token to permalink_page.php John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org reported a CSRF vulnerability in permalink_page.php, allowing an attacker to inject arbitrary links (CVE-2017-7620). The security token prevents such injection. Fixes 0022702 |
Affected Issues 0022702 |
|
mod - core/filter_api.php | Diff File | ||
mod - permalink_page.php | Diff File | ||
MantisBT: master f6644090 2017-05-13 14:47 Details Diff |
Encode '\' in string_sanitize_url() As an extra safety measure following up on the fix for CVE-2017-7620, we encode the backslashes in the 'script' part of the URL to ensure that the sanitized URL is treated as a path relative to MantisBT root and not a link to an external site if the URL begins with an escaped `/`. This reduces the risk of someone being able to use the same attack vector in another page. Fixes 0022702, 0022816 |
Affected Issues 0022702, 0022816 |
|
mod - core/string_api.php | Diff File | ||
MantisBT: master 241ff4eb 2017-05-13 14:53 Details Diff |
Add test for '\' encoding in in string_sanitize_url() Issue 0022702 |
Affected Issues 0022702 |
|
mod - tests/Mantis/StringTest.php | Diff File | ||
MantisBT: master-1.3.x c4f50e5d 2017-05-19 07:48 Details Diff |
Fix CSRF vulnerability in permalink_page.php John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org reported a CSRF vulnerability in permalink_page.php, allowing an attacker to inject arbitrary links (CVE-2017-7620). Backporting from master branch: - Add form security token to prevent such injection (code changed from original commit) 0d11077d40c5dfdb76efdad9ba2b455af5be25a0 - Encode '\' in string_sanitize_url() 7b23377c573817c5fe8b522e8c33de8b1caff179 Fixes 0022702, 0022816 |
Affected Issues 0022702, 0022816 |
|
mod - core/filter_api.php | Diff File | ||
mod - core/string_api.php | Diff File | ||
mod - permalink_page.php | Diff File | ||
mod - tests/Mantis/StringTest.php | Diff File | ||
MantisBT: master-2.3 8b6787c8 2017-05-19 07:48 Details Diff |
Fix CSRF vulnerability in permalink_page.php John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org reported a CSRF vulnerability in permalink_page.php, allowing an attacker to inject arbitrary links (CVE-2017-7620). Backporting from master branch: - Add form security token to prevent such injection 0d11077d40c5dfdb76efdad9ba2b455af5be25a0 - Encode '\' in string_sanitize_url() 7b23377c573817c5fe8b522e8c33de8b1caff179 Fixes 0022702, 0022816 |
Affected Issues 0022702, 0022816 |
|
mod - core/filter_api.php | Diff File | ||
mod - core/string_api.php | Diff File | ||
mod - permalink_page.php | Diff File | ||
mod - tests/Mantis/StringTest.php | Diff File | ||
MantisBT: master-2.4 2d2309a3 2017-05-19 07:48 Details Diff |
Fix CSRF vulnerability in permalink_page.php John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org reported a CSRF vulnerability in permalink_page.php, allowing an attacker to inject arbitrary links (CVE-2017-7620). Backporting from master branch: - Add form security token to prevent such injection 0d11077d40c5dfdb76efdad9ba2b455af5be25a0 - Encode '\' in string_sanitize_url() 7b23377c573817c5fe8b522e8c33de8b1caff179 Fixes 0022702, 0022816 |
Affected Issues 0022702, 0022816 |
|
mod - core/filter_api.php | Diff File | ||
mod - core/string_api.php | Diff File | ||
mod - permalink_page.php | Diff File | ||
mod - tests/Mantis/StringTest.php | Diff File |