View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017780 | mantisbt | security | public | 2014-10-16 12:09 | 2014-12-05 18:33 |
Reporter | dregad | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.0 | ||||
Target Version | 1.2.18 | Fixed in Version | 1.2.18 | ||
Summary | 0017780: CVE-2014-8598: XML plugin should restrict ability to import data | ||||
Description | The XML plugin currently does not perform any access level checks. Consequently, it is possible for any user of a system where the plugin is enabled (including anonymous/viewers !), to directly access the import page [1], upload an XML file and happily insert data in the tracker. [1] http://url.to/mantis/plugin.php?page=XmlImportExport/import | ||||
Additional Information | This is particularly nasty when combined with 0017725... | ||||
Tags | No tags attached. | ||||
MantisBT: master-1.2.x 80a15487 2014-10-17 07:21 Details Diff |
XML plugin: Add config page with access thresholds Prior to this, any user of a MantisBT instance with the XML Import/Export plugin enabled and knowing the URL to the plugin's import page could upload an XML file and insert data without restriction, regardless of their access level. This vulnerability is particularly dangerous when used in combination with the one described in issue 0017725 (CVE-2014-7146) as it makes for a very simple and easily accessible vector for PHP code injection attacks. There was also no access check when exporting data, which could allow an attacker to gain access to confidential information (disclosure of all bug-related data, including usernames). Fixes 0017780 (CVE-2014-8598) |
Affected Issues 0017725, 0017780 |
|
mod - plugins/XmlImportExport/XmlImportExport.php | Diff File | ||
mod - plugins/XmlImportExport/lang/strings_english.txt | Diff File | ||
add - plugins/XmlImportExport/pages/config.php | Diff File | ||
add - plugins/XmlImportExport/pages/config_page.php | Diff File | ||
mod - plugins/XmlImportExport/pages/export.php | Diff File | ||
mod - plugins/XmlImportExport/pages/import.php | Diff File | ||
MantisBT: master 7d3dd430 2014-10-17 07:21 Details Diff |
XML plugin: Add config page with access thresholds Prior to this, any user of a MantisBT instance with the XML Import/Export plugin enabled and knowing the URL to the plugin's import page could upload an XML file and insert data without restriction, regardless of their access level. This vulnerability is particularly dangerous when used in combination with the one described in issue 0017725 (CVE-2014-7146) as it makes for a very simple and easily accessible vector for PHP code injection attacks. There was also no access check when exporting data, which could allow an attacker to gain access to confidential information (disclosure of all bug-related data, including usernames). Fixes 0017780 (CVE-2014-8598) |
Affected Issues 0017725, 0017780 |
|
mod - plugins/XmlImportExport/XmlImportExport.php | Diff File | ||
mod - plugins/XmlImportExport/lang/strings_english.txt | Diff File | ||
add - plugins/XmlImportExport/pages/config.php | Diff File | ||
add - plugins/XmlImportExport/pages/config_page.php | Diff File | ||
mod - plugins/XmlImportExport/pages/export.php | Diff File | ||
mod - plugins/XmlImportExport/pages/import.php | Diff File |