View Revisions: Issue #23173

Summary 0023173: CVE-2017-12419: Arbitrary File Read inside install.php script
Revision 2017-08-04 18:59 by dregad
Steps To Reproduce

For successful exploitation, you need run special rogue MySQL server and connect to it from a server where you want to read files. Unfortunately, Mantis allow that.
You can find server at my repository — https://github.com/allyshka/Rogue-MySql-Server/blob/master/roguemysql.php

An attacker can go to any step of an installation process.
See at this part of code:

/admin/install.php:

86: # install_state
87: #   0 = no checks done
88: #   1 = server ok, get database information
89: #   2 = check the database information
90: #   3 = install the database
...
95: $t_install_state = gpc_get_int( 'install', 0 );

If you browse to the URL https://mantisbt/admin/install.php?install=3 then you go to the install the database section. Where you can find that part of code.

/admin/install.php:

745: # all checks have passed, install the database
746: if( 3 == $t_install_state ) {
...
765:    <?php
766:        $t_result = @$g_db->Connect( $f_hostname, $f_admin_username, $f_admin_password, $f_database_name );
767: 
768:        $t_db_open = false;

Script try to connect to MySQL server, but you can control $f_hostname variable through HTTP-request parameter hostname.

admin\install.php:

200:    $f_hostname           = gpc_get( 'hostname', config_get( 'hostname', 'localhost' ) );

https://mantis/admin/install.php?install=3&hostname=127.0.0.1
For testing purposes, I'm trying to read /etc/passw:

Revision 2017-08-01 00:46 by iamsecurity
Steps To Reproduce

For successful exploitation, you need run special rogue MySQL server and connect to it from a server where you want to read files. Unfortunately, Mantis allow that.
You can find server at my repository — https://github.com/allyshka/Rogue-MySql-Server/blob/master/roguemysql.php

An attacker can go to any step of an installation process.
See at this part of code:

/admin/install.php:

86: # install_state
87: #   0 = no checks done
88: #   1 = server ok, get database information
89: #   2 = check the database information
90: #   3 = install the database
...
95: $t_install_state = gpc_get_int( 'install', 0 );

If you browse to the URL https://mantisbt/admin/install.php?install=3 then you go to the install the database section. Where you can find that part of code.

/admin/install.php:

745: # all checks have passed, install the database
746: if( 3 == $t_install_state ) {
...
765:    <?php
766:        $t_result = @$g_db->Connect( $f_hostname, $f_admin_username, $f_admin_password, $f_database_name );
767: 
768:        $t_db_open = false;

Script try to connect to MySQL server, but you can control $f_hostname variable through HTTP-request parameter hostname.

admin\install.php:

200:    $f_hostname           = gpc_get( 'hostname', config_get( 'hostname', 'localhost' ) );

https://mantis/admin/install.php?install=3&hostname=127.0.0.1

For testing purposes, I'm trying to read /etc/passw: