Relationship Graph

View IssueDependency GraphShow Summary
Relationship Graph
related to related to child of child of duplicate of duplicate of

View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0023908mantisbtsecuritypublic2018-01-30 00:362018-08-08 17:15
Reporterfoolandtom Assigned Todregad  
PrioritylowSeveritytrivialReproducibilityalways
Status closedResolutionno change required 
Product Version2.10.0 
Summary0023908: Vendor/adodb/adodb-php/server.php SQL injection
Description

MantisBT 2.10.0 allows local users to conduct SQL Injection attacks via the vendor/adodb/adodb-php/server.php sql
parameter in a request to the 127.0.0.1 IP address,

[Additional Information]
url:http://127.0.0.1/vendor/adodb/adodb-php/server.php?sql=select+*+from+admin&nrows=10&offset=

code:
if (empty($_REQUEST['sql'])) err('No SQL');

$conn = ADONewConnection($driver);

if (!$conn->Connect($host,$uid,$pwd,$database)) err($conn->ErrorNo(). $sep . $conn->ErrorMsg());
$sql = undomq($_REQUEST['sql']);
address:/adodb/adodb-php/server.php

position:78-84 rows

If there is no configuration, the physical path address is leaked, and the link needs to be opened in 127.0.0.1

[Vulnerability Type]
SQL Injection

[Vendor of Product]
mantisbt

[Affected Product Code Base]
mantisbt - mantisbt-2.10.0

[Attack Type]
Local

[Impact Information Disclosure]
true

[CVE Impact Other]
Leaked physical path

[Attack Vectors]
vendor/adodb/adodb-php/server.php?sql=select+*+from+admin&nrows=10&offset=2

[Discoverer]
shanghaikuangchuang@Tom

Use CVE-2018-6382.

CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJab+NRAAoJEHb/MwWLVhi2OeYQAKcuw88x1+j2TIqkm4sSkzPt
ZjVgtk01teAwTMU5Am8CBV6rMRXkfPciONAdJlnDYISwtUy6iS4IWlwG1tEnbGJl
6JbJAJj6vshZ0+Gffx9hRifGdlyIHSmBan4PBkNnPLPDkMs3dcSAQOFEZXnfoipf
rLsvckL74U1NryRYZQm2d0gEtuCczbFqNf2xiAKmlgZvaJXXjRMsnZ4TDtqMuqQi
O2AbTJmofEux51ER5EmFGIYXrIMZoAoCUuLBz9UIwKEnW9JoF8iTsDbQ2izIMCHJ
QGdAfzdVWY0frwufNiqG1od9JAvcbgoJxT1OVPAIyEPMXGASnxRn8LQiYJRkV4n4
5uGYN6H01Spyn/btvqmkId/gPnncQKI4KLosZhIRWmQehgee3+7ecrj4AkSqGwBd
Bp4KKFmQjRCgzZRFfrA0ZKU96gQbohZz/3kx5T3xQMmy4sHcfscXDsSbiIVpTV/F
gIT+KVeSJdh/L6oqPGnckHyYU3uqpbRpPhFfQCJYhharO54DcthbmjRAPIw+gp8q
y0jnEpSXPYN/b8+k9aqrtkBai17Z7m7aBxF/nDKZ7TxzfKqUJazk4UanqZ26ahWX
28M5TbtzhI0tASXr83pAixelBj1f4Khf4TiWFlAJEDUzbnJlYmrVnVIaovVoloaD
KZQvyj7/4MjMSb6tbIdH
=/j3A
-----END PGP SIGNATURE-----

Steps To Reproduce

url:http://127.0.0.1/vendor/adodb/adodb-php/server.php?sql=select+*+from+admin&nrows=10&offset=

code:
if (empty($_REQUEST['sql'])) err('No SQL');

$conn = ADONewConnection($driver);

if (!$conn->Connect($host,$uid,$pwd,$database)) err($conn->ErrorNo(). $sep . $conn->ErrorMsg());
$sql = undomq($_REQUEST['sql']);
address:/adodb/adodb-php/server.php

position:78-84 rows

If there is no configuration, the physical path address is leaked, and the link needs to be opened in 127.0.0.1

Additional Information

Local execution is required, if no default configuration database will cause path leakage, it is recommended to configure the default error page

TagsNo tags attached.

Relationships

Relationship GraphDependency Graph
related to 0024192 closeddregad Update ADOdb to 5.20.12 

Activities

dregad

dregad

2018-01-30 05:20

developer   ~0058673

Thanks for the report. A few remarks

  1. We're only users of the ADOdb library, so this would probably best be reported upstream at https://github.com/ADOdb/ADOdb/issues - but since I'm also the maintainer of ADOdb, we might as well continue the discussion here for now.
  2. Due to the localhost IP address restriction, the request needs to be physically run on the server operating the database
  3. Since the purpose of the server.php script is to execute arbitrary queries to begin with, I don't think that SQL injection introduces any additional risk
  4. Successful SQL execution could only occur if (and only if) a connection to the DB server can be established with the settings defined in server.php, i.e. (out of the box): 
    $driver = 'mysql';
$host = 'localhost'; // DSN for odbc
$uid = 'root';
$pwd = 'garbase-it-is';
$database = 'test';

So, while I agree that SQL injection is technically possible, I don't think it can realistically affect MantisBT.
foolandtom

foolandtom

2018-01-30 06:01

reporter   ~0058675

Low impact degree
foolandtom

foolandtom

2018-01-30 06:27

reporter   ~0058676

Existence of injection, low availability
dregad

dregad

2018-01-30 07:35

developer   ~0058679

Your feedback on my earlier note 0023908:0058673 would be appreciated. I don't understand the point of your last 2 comments.

if no default configuration database will cause path leakage, it is recommended to configure the default error page

Fixed in https://github.com/ADOdb/ADOdb/issues/389
dregad

dregad

2018-03-29 11:52

developer   ~0059353

Last edited: 2018-03-29 11:53

I asked MITRE to update the CVE, to have it rejected since I don't think it is a vulnerability in MantisBT at all.
dregad

dregad

2018-03-30 16:18

developer   ~0059374

Last edited: 2018-03-30 16:18

https://github.com/ADOdb/ADOdb/issues/389 is fixed in ADODb 5.20.12 - 0024192
dregad

dregad

2018-07-30 08:36

developer   ~0060339

ADOdb 5.20.12 has been deployed in MantisBT 2.14.0, fixing the path leakage issue.

With regards to the SQL injection, since it is effectively not possible to exploit it, I will resolve this issue as "no change required".