View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0013281 | mantisbt | security | public | 2011-08-31 15:57 | 2014-09-23 18:05 |
Reporter | htbridge | Assigned To | dhx | ||
Priority | immediate | Severity | block | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.7 | ||||
Target Version | 1.2.8 | Fixed in Version | 1.2.8 | ||
Summary | 0013281: MantisBT Security Vulnerabilities Notification | ||||
Description | Hello, High-Tech Bridge Security Research Lab has discovered multiple security vulnerabilities in MantisBT. Developers can contact us by email advisory (at) htbridge.ch for details. Preview: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html For any questions related to this notification email - please visit our General Information & Disclosure Policy page: http://www.htbridge.ch/advisory/disclosure_policy.html | ||||
Tags | No tags attached. | ||||
related to | 0015721 | closed | grangeway | Functionality to consider porting to master-2.0.x |
parent of | 0013282 | closed | dhx | bug_actiongroup_ext_page.php does not properly sanitise action parameter before including local files |
parent of | 0013283 | closed | dhx | bug_actiongroup_ext_page.php remote file inclusion: action parameter |
related to | 0013191 | closed | grangeway | XSS vulnerability dues to usage of PHP_SELF |
Thanks for your report. This issue is now private and therefore accessible only to developers and yourself. Can you please add the details of the vulnerabilities to this bug report? |
|
Our notification text for email: High-Tech Bridge Security Research Lab has discovered multiple security vulnerabilities in your product - MantisBT. Detailed description and all available details of the vulnerabilities is provided below in the email. Please notify us by replying to this email when you release security update. If you need more time to fix the vulnerabilities - please specify desired Public Disclosure date by replying to this email. For any questions related to this notification email - please visit our General Information & Disclosure Policy page: https://www.htbridge.ch/advisory/disclosure_policy.html If you don't find an answer to your question there - please feel free to contact us by email: advisory@htbridge.ch =============================================================== Vulnerability ID: HTB23045 Vulnerability Details: 1) Input passed via the "action" GET parameter to bug_actiongroup_ext_page.php & bug_actiongroup_page.php is not properly sanitised before being returned to the user. The following PoC code is available: http://[host]/bug_actiongroup_ext_page.php?bug_arr[]=1&action=EXT_%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 2) Input passed via the "action" GET parameter to bug_actiongroup_ext_page.php & bug_actiongroup_page.php is not properly verified before being used to include files. http://[host]/bug_actiongroup_ext_page.php?bug_arr[]=1&action=EXT_/../../../../../../../etc/passwd%00 3) Input appended to the URL after manage_config_email_page.php & manage_config_workflow_page.php is not properly sanitised before being returned to the user. http://[host]/manage_config_email_page.php/%22%3E%3Cimg%20src=1%20onerror=%22javascript:alert%28document.cookie%29;%22%3E/ 4) Input passed via the "platform", "os", "os_build", GET parameter to bug_report_page.php is not properly sanitised before being returned to the user. http://[host]/bug_report_page.php?platform=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3EBest regards, High-Tech Bridge SA Security Research Lab |
|
Thank you. |
|
Issues (1) and (2) have been fixed by Paul's recent commits (and my backports to the 1.2.x branch). Issue (3) was reported a while ago by Paulino Calderon calderon@websec.mx in issue 0013191 but has yet to be fixed. Paul has committed a patch that resolves the issue. Issue (4) has been fixed as well (it only impacts the master-1.2.x branch). |
|
All issues should now be corrected in both 1.2.x and master branches. @High-Tech Bridge Security Research Lab: thanks for taking the time to test MantisBT and provide an informative notification to the MantisBT developers. @grangeway/Paul: thanks for pushing your patches! I'll arrange for a 1.2.8 release with John ASAP, request CVE numbers from oss-sec and notify distributions that they need to update their copies of MantisBT. |
|
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|
MantisBT: master a908cc61 2011-08-29 05:43 Paul Richards Details Diff |
Rework the bug action group api such that we can easily convert this to an object in the future, and to validate calls to require once. This leads to a security issue identified by IBM's Appscan program, whereby calls to require_once are not validated. Depending on webserver configuration, this is a file inclusion vulnerability. There will be a follow up commit to config api - probably: - if( $g_project_override != null ) { + if( $g_project_override != null && $p_project == null ) { At the moment, the action group API calls config_get with a project parameter to use. This is ignored, due to project_override being set - so we either need to: a) change project override within the command list function b) modifify config api to only use the project override *if* it is attempting to look up information on the default project. |
Affected Issues 0013281 |
|
mod - bug_actiongroup_add_note_inc.php | Diff File | ||
mod - bug_actiongroup_attach_tags_inc.php | Diff File | ||
mod - bug_actiongroup_ext.php | Diff File | ||
mod - bug_actiongroup_ext_page.php | Diff File | ||
mod - bug_actiongroup_page.php | Diff File | ||
mod - bug_actiongroup_update_product_build_inc.php | Diff File | ||
mod - bug_actiongroup_update_severity_inc.php | Diff File | ||
mod - core/bug_group_action_api.php | Diff File | ||
MantisBT: master-1.2.x 5b93161f 2011-08-29 05:43 Paul Richards Committer: dhx Details Diff |
Rework the bug action group api such that we can easily convert this to an object in the future, and to validate calls to require once. This leads to a security issue identified by IBM's Appscan program, whereby calls to require_once are not validated. Depending on webserver configuration, this is a file inclusion vulnerability. There will be a follow up commit to config api - probably: - if( $g_project_override != null ) { + if( $g_project_override != null && $p_project == null ) { At the moment, the action group API calls config_get with a project parameter to use. This is ignored, due to project_override being set - so we either need to: a) change project override within the command list function b) modifify config api to only use the project override *if* it is attempting to look up information on the default project. Backported from master-1.2.x branch. Note that this commit relies upon commit 6dc35105064e5a2533fb4e1de54426ea17d2ef36 from the master branch (that hadn't been backported to 1.2.x). Conflicts: bug_actiongroup_ext.php bug_actiongroup_ext_page.php bug_actiongroup_page.php core/bug_group_action_api.php Signed-off-by: David Hicks <d@hx.id.au> |
Affected Issues 0013281 |
|
mod - bug_actiongroup_ext.php | Diff File | ||
mod - bug_actiongroup_ext_page.php | Diff File | ||
mod - bug_actiongroup_page.php | Diff File | ||
mod - core/bug_group_action_api.php | Diff File | ||
MantisBT: master 57c94485 2011-08-29 06:55 Paul Richards Details Diff |
Fix issue introduced previously whereby php_Self is now used unchecked. introduced previously by john attempting to fix symlinks. Since we now use php 5.2, we can make use of filter_var. This is a simpler version of what we were trying to do previously aka http://git.mantisforge.org/w/mantisbt.git?a=commitdiff;h=5ac1fdf32717d0c82cca7e7660dd4fd316a6a1b8 Depending on server/mantis config this can lead to XSS issues |
Affected Issues 0013191, 0013281 |
|
mod - config_defaults_inc.php | Diff File | ||
MantisBT: master-1.2.x d00745f5 2011-08-29 06:55 Paul Richards Committer: dhx Details Diff |
Fix issue introduced previously whereby php_Self is now used unchecked. introduced previously by john attempting to fix symlinks. Since we now use php 5.2, we can make use of filter_var. This is a simpler version of what we were trying to do previously aka http://git.mantisforge.org/w/mantisbt.git?a=commitdiff;h=5ac1fdf32717d0c82cca7e7660dd4fd316a6a1b8 Depending on server/mantis config this can lead to XSS issues David: Backported from master branch and removed unreachable code branch. Signed-off-by: David Hicks <d@hx.id.au> |
Affected Issues 0013191, 0013281 |
|
mod - config_defaults_inc.php | Diff File | ||
MantisBT: master-1.2.x 0a636b37 2011-09-03 16:36 Details Diff |
Issue 0013281: Fix Projax XSS issues (unescaped value attributes) Projax sucks. This is why it was replaced with jQuery in the master branch. However master-1.2.x still uses the older Projax code. The Projax library doesn't attempt to escape values before dumping them in HTML output, thus leading to XSS issues. The easiest workaround is to pass in already-escaped values to the Projax functions. This issue was reported by High-Tech Bridge SA Security Research Lab as part of their advisory #HTB23045, available at https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html |
Affected Issues 0013281 |
|
mod - bug_report_page.php | Diff File | ||
mod - bug_update_advanced_page.php | Diff File |