View Issue Details

IDProjectCategoryView StatusLast Update
0017937mantisbtsecuritypublic2024-05-13 11:05
Reporterhtbridge Assigned Todregad  
PrioritynoneSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Target Version1.2.19Fixed in Version1.2.19 
Summary0017937: MantisBT Security Vulnerability Notification (HTB23243)
Description

Hello,

High-Tech Bridge Security Research Lab has discovered multiple security vulnerabilities in MantisBT.

Developers can contact us by email advisory (at) htbridge.com for details.

Preview: https://www.htbridge.com/advisory/HTB23243

For any questions related to this notification email - please visit our Disclosure Policy page: https://www.htbridge.com/advisory/disclosure_policy.html

TagsNo tags attached.

Relationships

parent of 0017938 closeddregad CVE-2014-9571: XSS in install.php 
parent of 0017939 closeddregad CVE-2014-9572: Improper Access Control in install.php 
parent of 0017940 closeddregad CVE-2014-9573: SQL Injection in manage_user_page.php 

Activities

dregad

dregad

2014-12-03 11:03

developer   ~0041962

Greetings.

Thank you for your report. I have marked this issue as private, so whatever you write here will only be visible to MantisBT developers.

To report your issues, the best would be for you to open one private issue on this tracker for each distinct vulnerability you found. More details on the process can be found on our wiki [1].

I also draw your attention to the fact that over the past few weeks we've patched 20+ security issues; kindly make sure that the issues you discovered are not already fixed. See our changelog [2] for details and related CVEs; note that I'm waiting for MITRE to assign a few more CVEs, you can find the corresponding requests and advisories on the oss-security mailing list [3].

[1] https://www.mantisbt.org/wiki/doku.php/mantisbt:handling_security_problems
[2] https://www.mantisbt.org/bugs/changelog_page.php?version_id=191
[3] http://news.gmane.org/gmane.comp.security.oss.general

htbridge

htbridge

2014-12-03 14:22

reporter   ~0041966

Hello,

===============================================================

Advisory ID: HTB23243
Reference: https://www.htbridge.com/advisory/HTB23243
Product: MantisBT
Vendor: MantisBT Team
Vulnerable Version(s): 1.2.17 and probably prior
Tested Version: 1.2.17
Public Disclosure: December 24, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79], Improper Access Control [CWE-284], SQL Injection [CWE-89]
Risk Level: Medium
CVSSv2 Base Scores: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N), 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N), 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

Advisory Details:

High-Tech Bridge Security Research Lab has discovered multiple vulnerabilities in MantisBT, which can be exploited to perform Cross-Site Scripting (XSS) and SQL injection attacks. Improper access control vulnerability discloses database's credentials (login and password) in plaintext.

1) Cross-Site Scripting (XSS) in MantisBT

Vulnerabilities described in this section can be used by attackers to steal cookies of application’s administrator and other website users. Attackers can also perform spear phishing attacks against web site visitors by replacing original content of the web site with arbitrary HTML and script code, perform drive-by-download attacks by injecting malware into web pages, and bypass existing CSRF protection mechanism.

1.1 The vulnerability exists due to insufficient filtration of input data passed via the "admin_username" and "admin_password" HTTP GET parameters to "/[admin]/install.php" script. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

Below are two exploitation examples that use the "alert()" JavaScript function to display "immuniweb" word:

http://mantis/[admin]/install.php?install=1&admin_username=1%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E
http://mantis/[admin]/install.php?install=1&admin_password=1%27%22%3E%3Cscript%3Ealert%28%27immuniweb%27%29;%3C/script%3E

Note, that "[admin]" in the URL is changed by default during MantisBT installation. Therefore, the attacker must know the location of the administrative interface in order to perform the attack. However, admin panel URL can be bruteforced or predicted in many cases.

2) Improper Access Control in MantisBT

2.1 The vulnerability exists due to insufficient access restrictions to the installation script "/[admin]/install.php" when HTTP GET "install" parameter is set to "4". A remote unauthenticated attacker can access the installation script and obtain database access credentials, which are stored in plain text in hidden form fields.

An attacker can use the following URL to access the page an obtain database credentials (login and password) in plaintext:

http://mantis/[admin]/install.php?install=4

Note, that "[admin]" in the URL is changed by default during installation. Therefore, the attacker must know the location of the administrative interface in order to perform the attack. However, admin panel URL can be bruteforced or predicted in many cases.

3) SQL Injection in MantisBT

The vulnerability can be used to manipulate existing SQL queries. An attacker can obtain potentially sensitive data and use it to elevate privileges within the application. It is also possible for certain configurations to upload a backdoor and gain complete access to the webserver or website.

3.1 The vulnerability exists due to insufficient filtration of the "MANTIS_MANAGE_USERS_COOKIE" HTTP COOKIE in "/manage_user_page.php" script. A remote user with administrative privileges can inject and execute arbitrary SQL code within the application’s database.

The exploit code below modifies the SQL query and injects malicious "INTO OUTFILE" statement. As a result,current MySQL user login will be written into the "/var/www/file.txt" file:

GET /manage_user_page.php?hideinactive=0 HTTP/1.1
Host: mantis
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: MANTIS_MANAGE_USERS_COOKIE=0%3Ausername%20INTO%20OUTFILE%20%27/var/www/file.txt%27%20--%20%3A1%3A0
Connection: keep-alive

Successful exploitation requires that the MySQL account has FILE privileges within the database.

To exploit this vulnerability an attacker must create a specially crafted cookie for the application administrator. This can be achieved using XSS vulnerabilities, described in paragraphs 1.1 – 1.3 of this advisory.

===============================================================

Best regards,

High-Tech Bridge Security Research Lab

dregad

dregad

2014-12-03 15:11

developer   ~0041967

Thanks for the detailed information. I opened the following child issues for tracking:

1.1 - 0017938
2.1 - 0017939
3.1 - 0017940

Considering the upcoming Holiday season and current workload, I am a bit concerned by your planned public disclosure date of 24-Dec - could this be extended to, say, mid-January ? Of course we'll try to fix issues before that if we can.

Did you already make CVE reservations for these ? If so, kindly let me know the IDs.

dregad

dregad

2014-12-03 15:18

developer   ~0041968

Also, if it's not too much effort for you, it would be great if you guys could confirm whether our master (1.3.0dev) branch is vulnerable as well. You can download the code from https://mantisbt.org/builds.php.

I would guess that 1.1 and 2.1 would work too, not sure about 3.1.

TIA

htbridge

htbridge

2014-12-04 10:56

reporter   ~0041973

Hello,

Did you already make CVE reservations for these ? If so, kindly let me know the IDs.
At this time wait them from MITRE.

confirm whether our master (1.3.0dev) branch is vulnerable as well
Our researchers confirm, that found vulnerabilities work in this version.

dregad

dregad

2014-12-28 07:11

developer   ~0042067

I have attached patches to each of the child issues for your review. Kindly test and let me know if they are indeed resolving the vulnerabilities from your point of view.

I would also appreciate if you could let me know the corresponding CVE numbers, MITRE must have assigned them by now.

@Mantis devs:
Patches are also available in my private Bitbucket repo (https://bitbucket.org/dregad/mantisbt/branch/htbridge-17937)

htbridge

htbridge

2015-01-09 07:02

reporter   ~0042123

Hello,

CVE-IDs for HTB23243:
Cross-Site Scripting [CWE-79] CVE-2014-9571
Improper Access Control [CWE-284] CVE-2014-9572
SQL Injection [CWE-89] CVE-2014-9573

Best Regards,
High-Tech Bridge Security Research Lab

htbridge

htbridge

2015-01-09 07:37

reporter   ~0042124

Hello,

We confirm, that this patches will resolve vulnerabilities described in our security advisory.
After releasing version 1.2.19 we will update our advisory's Solution field with recommendation to update.

Best Regards,
High-Tech Bridge Security Research Lab

dregad

dregad

2015-01-09 08:11

developer   ~0042125

Last edited: 2015-01-09 08:12

Many thanks for your feedback. I will inform you when we release 1.2.19, probably within the next 2 weeks.

dregad

dregad

2015-01-25 18:20

developer   ~0048683

With all 3 child issues resolved and Mantis 1.2.19 being released today, this issue can now be closed.

Related Changesets

MantisBT: master-1.2.x 69c2d28d

2014-12-27 07:34

dregad


Details Diff
Fix SQL injection in manage_user_page.php

This vulnerability (CVE-2014-9573) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

To avoid injection, the parameters we get from the cookie are now
properly sanitized before being used in the SQL query.

Fixes 0017940
Affected Issues
0017937, 0017940
mod - manage_user_page.php Diff File

MantisBT: master 7cc4539f

2014-12-27 07:34

dregad


Details Diff
Fix SQL injection in manage_user_page.php

This vulnerability (CVE-2014-9573) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

To avoid injection, the parameters we get from the cookie are now
properly sanitized before being used in the SQL query.

Fixes 0017940
Affected Issues
0017937, 0017940, 0019277
mod - manage_user_page.php Diff File

MantisBT: master-1.2.x 6d47c047

2014-12-27 07:47

dregad


Details Diff
Fix XSS in install.php

This vulnerability (CVE-2014-9571) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

The parameters are now properly sanitized before being displayed.

Fixes 0017938
Affected Issues
0017937, 0017938
mod - admin/install.php Diff File

MantisBT: master 132cd6d0

2014-12-27 07:47

dregad


Details Diff
Fix XSS in install.php

This vulnerability (CVE-2014-9571) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

The parameters are now properly sanitized before being displayed.

Fixes 0017938
Affected Issues
0017937, 0017938, 0019274
mod - admin/install.php Diff File

MantisBT: master-1.2.x 5571bcf9

2014-12-28 01:29

dregad


Details Diff
Install: disable step 4 (additional config info)

This fixes a security issue allowing an attacker to access the
installation script and obtain database access credentials.

Since the offending install step does not seem to be doing anything
useful, the corresponding code block has been commented out.

This vulnerability (CVE-2014-9571) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

Fixes 0017939
Affected Issues
0017937, 0017939
mod - admin/install.php Diff File

MantisBT: master 5e5e5750

2014-12-28 01:29

dregad


Details Diff
Install: disable step 4 (additional config info)

This fixes a security issue allowing an attacker to access the
installation script and obtain database access credentials.

Since the offending install step does not seem to be doing anything
useful, the corresponding code block has been commented out.

This vulnerability (CVE-2014-9571) was reported by High-Tech Bridge
Security Research Lab (https://www.htbridge.com/) in issue 0017937
(advisory ID HTB23243).

Fixes 0017939
Affected Issues
0017937, 0017939, 0019273
mod - admin/install.php Diff File